internal audit manual - defense commissary agency · internal audit manual decam 90-5.1 august 15,...
TRANSCRIPT
DEPARTMENT OF DEFENSE
Defense Commissary Agency
Fort Lee, VA 23801-1800
MANUAL
INTERNAL AUDIT MANUAL
DeCAM 90-5.1
August 15, 2014
Internal Audit
OPR: DeCA/CCIA
1. POLICY. This manual is issued under the authority of Defense Commissary Agency
Directive (DeCAD) 90-5, “Internal Audit Activities,” July 11, 2014 (Reference (a)). Users of
this Manual will comply with all policies as defined in DeCAD 90-5 references listed within.
2. PURPOSE. This manual contains guidance and procedures for accomplishing audits within
the Defense Commissary Agency (DeCA). It supplements all references listed within. The
Internal Audit Manual is established in compliance with Department of Defense Directive
(DoDD) 5105.55, “Defense Commissary Agency,” March 12, 2008, (Reference (b)), and other
regulatory documents listed within this manual.
a. This Manual is not intended to provide specific guidance for every situation or condition
auditors may encounter in their daily operations. Auditors must consult appropriate levels of
DeCA’s Internal Audit Division (CCIA) within the Office of the Inspector General (CCI) for
guidance, as necessary. The Deputy Director for Audit (Supervisory Auditor) has oversight of
DeCA’s internal audits and the Director, Inspector General (IG) has accountability for audit to
the Agency’s Director and Chief Executive Officer (CEO).
b. All DeCA organizational elements are encouraged to submit suggested changes to this
Manual, through channels, to DeCA Headquarters (HQ) CCIA, when they identify control
weaknesses. DeCA CCIA may approve or issue instructions to implement or supplement
procedures contained herein.
3. APPLICABILITY. This Manual applies to conducting internal audits of DeCA’s
operations.
DeCAM 90-5.1
August 15, 2014
2
4. RELEASABILITY – UNLIMITED. This Manual is approved for public release and is
located on DeCA’s Internet Web site at https/www.commissaries.com/employees/Resource
Center/DeCA Publications-Directives/Manuals/Handbooks/Office of Internal Audit.
5. MANAGEMENT CONTROL SYSTEM. This Manual contains internal management
control provisions that are subject to evaluation and testing, as required by DeCAD 70-2,
“Internal Control Program,” December 17, 2007 (Reference (c)).
6. EFFECTIVE DATE.
a. This Manual is effective August 15, 2014.
b. Must be reissued, cancelled, or certified current within 5-years of its publication, in
accordance with DoD Instruction (DoDI) 5025.01, "DoD Directives Programs," June 6, 2014,
(Reference (d)). If not, it will expire effective August 15, 2024, and be removed from the DeCA
Issuances Website.
Keith M. Owens
Director, Inspector General
DeCAM 90-5.1
August 15, 2014
3
TABLE OF CONTENTS
References .......................................................................................................................................5
Chapter 1 – Auditing Standards
1 Overview ........................................................................................................................6
2 Source of Auditing Standards ........................................................................................6
3 Compliance with Auditing Standards ............................................................................6
4 General Standards ..........................................................................................................7
5 Types of Audit Services .................................................................................................8
6 Nonaudit Services ..........................................................................................................9
7 TeamMate Suite for Audit Documentation…..............................................................10
Chapter 2 – Audit Life Cycle and Management
1 Overview ......................................................................................................................11
2 The Audit Process ........................................................................................................11
3 Life Cycle and Management Responsibilities .............................................................14
4 Audit Project Management ..........................................................................................17
5 Timely Audit Completion ............................................................................................17
Chapter 3 – Audit Planning
1 Overview ......................................................................................................................18
2 Planning Responsibilities .............................................................................................18
3 Subject Selection and Coordination .............................................................................19
4 Planning – Initial Requirements...................................................................................20
5 Planning – Research .....................................................................................................21
6 Planning – Working Paper Requirements ....................................................................23
7 Planning – Summary Working Paper ..........................................................................23
8 Audit Program ..............................................................................................................24
Chapter 4 – Audit Execution
1 Overview ......................................................................................................................29
2 Execution Responsibilities ...........................................................................................29
3 Working Paper Requirements ......................................................................................31
4 Detail Working Papers (TeamMate Procedures) .........................................................31
5 Summary Working Papers (TeamMate Exceptions) ...................................................33
6 Changes During Audit Execution ................................................................................36
7 Data Reliability Documentation ..................................................................................36
8 Audit Sampling Documentation ..................................................................................36
9 Validating Audit Results ..............................................................................................37
DeCAM 90-5.1
August 15, 2014
4
Chapter 5 – Reporting Requirements
1 Overview ......................................................................................................................38
2 Draft Report Responsibilities .......................................................................................38
3 Audit Report General Requirements ............................................................................40
4 Report Format – Executive Summary..........................................................................40
5 Report Format ..............................................................................................................41
6 Report Format – Appendices ......................................................................................45
7 Report Quality Assurance ............................................................................................48
8 Draft Report Processing ...............................................................................................51
Chapter 6 – Reporting Requirements
1 Overview ......................................................................................................................53
2 Final Report Responsibilities .......................................................................................53
3 Management Comments – General Guidance .............................................................54
4 Evaluation Management Comments ............................................................................56
5 Non-Concurrences .......................................................................................................59
6 Cover Letters ..............................................................................................................59
7 Final Report Processing ...............................................................................................59
8 Follow – up Audits.......................................................................................................60
9 Follow – up Audit Reports ...........................................................................................61
APPENDICES
Appendix A Independence Statement ..................................................................................63
Appendix B Nonaudit Service Statement .............................................................................65
Appendix C TeamMate Suite ...............................................................................................66
Appendix D Audit Needs .....................................................................................................69
Appendix E Risk-Based Planning Factors ...........................................................................70
Appendix F Audit Planning Program ..................................................................................74
Appendix G Entrance Conference ........................................................................................79
Appendix H Computer Generated Data Reliability Reporting .............................................82
Appendix I Independent Reference Reviewer (IRR) Checklist ..........................................84
Appendix J Audit Report Reviewer Checklist ....................................................................86
Appendix K Audit Follow-Up Log ......................................................................................92
Glossary ...................................................................................................................................93
DeCAM 90-5.1
August 15, 2014
5
REFERENCES
(a) DeCAD 90-5, “Internal Audit Activities,” August 10, 2011 (hereby cancelled)
(b) DoDD5105.55, “Defense Commissary Agency,” March 12, 2008
(c) DeCAD 70-2, “Internal Control Program,” December 17, 2007
(d) DoDI 5025.01, "DoD Directives Program," June 6, 2014
(e) GAO-012-331G, “Government Auditing Standards (Yellow Book),” Revision,
December 2011
(f) DoD Manual 7600.7-M, “DoD Audit Manual,” February 12, 2009
(g) GAO-03-273G, Assessing the Reliability of Computer Processed Data, October 2002,
External Version 1
(h) DoDI 7600.2, “Audit Policies,” April 27, 2007
(i) DoDD 7200.1, “Administrative Control of Appropriations,” May 4, 1995. Certified Current
as of November 21, 2003
DeCAM 90-5.1
August 15, 2014
6
CHAPTER 1
AUDITING STANDARDS
1. Overview. Auditing standards are broad statements of auditors’ responsibilities. The
standards pertain to auditors’ professional qualifications, the quality of audit effort, and the
characteristics of professional and meaningful audit reports. The standards are the criteria or
performance measures used to guide auditors in their work. Because auditing has no simple
formula, auditors and supervisors must exercise professional judgment throughout the audit
process. An awareness of the adherence to auditing standards will improve the quality of audit
work and provide a basis for the exercise of professional judgment.
2. Sources of Auditing Standards. A number of professional and government organizations
issue auditing standards, policies, and procedures.
a. Generally Accepted Government Auditing Standards (GAGAS). The Comptroller
General’s (GAO-012-331G) “Government Auditing Standards,” (Reference (e)), often referred
to as the “Yellow Book,” is effective for performance audits beginning on or after December 15,
2011. The “Yellow Book” provides guidance for financial and performance audits.
b. Department of Defense Inspector General (DoDIG) Audit Policies and Procedures. The
audit policies and procedures set forth in DoD Manual (DoDM) 7600.7-M, “DoD Audit
Manual,” February 12, 2009, (Reference (f)), incorporate Comptroller General Standards. The
Audit Manual was designed, in part, to assist DoD audit organizations in complying with
Comptroller General auditing standards, policies, and procedures.
c. American Institute of Certified Public Accountants (AICPA) Auditing Standards. The
AICPA statements on auditing standards primarily pertain to public accountants performing
financial audits—that is, rendering an opinion on financial statements.
3. Compliance with Auditing Standards. DeCA’s Inspector General Internal Audit Division
(CCIA) specifically adopted the Comptroller General auditing standards that include general
standards, as well as fieldwork and reporting standards for financial and performance audits. All
DeCA CCIA auditors must adhere to these standards, as stated in Reference (e). Adherence
helps to produce quality audits that are of maximum benefit to DeCA management. DeCA
CCIA procedures concerning fieldwork and reporting are discussed in Chapters 3 through 6. In
compliance with auditing standards, all auditors are required to make a written declaration of
their independence in matters relating to all audit work (GAGAS 3.02). The Independence
Statement (Appendix A) will be maintained in the personnel records and updated annually.
However, as an additional control measure, we have also developed a Statement of Independence
form, to include in TeamMate Suite Electronic Working Papers (EWP) for each project.
TeamMate’s EWP, is DeCA’s CCIA automated application that allows auditors to complete all
DeCAM 90-5.1
August 15, 2014
7
phases of the audit documentation and review processes. TeamMate Software Version 9.1.1 is
currently used within CCIA with future upgrades as they become available, (Appendix C).
4. General Standards Introduction. General Standards Introduction establishes general
standards and provides guidance for performing financial audits, attestation engagements, and
performance audits under GAGAS. These general standards, along with the overarching ethical
principles presented in Chapter 1 of this Manual, establishes a foundation for the credibility of
auditors’ work. These general standards emphasize the importance of the independence of the
audit organization and its individual auditors; the exercise of professional judgment in the
performance of work and preparation of related reports; the competence of staff; and quality
control and assurance (GAGAS 3.0).
a. Independence. In all matters relating to the audit work, the audit organization and
individual auditor, whether government or public, must be independent (GAGAS 3.02).
Auditors and audit organizations maintain independence so their opinions, findings, conclusions,
and recommendations will be impartial and viewed as impartial by reasonable and informed third
parties. Auditors should avoid situations that could lead reasonable and informed third parties to
conclude that the auditors are not independent and thus are not capable of exercising objective
and impartial judgment on all issues associated with conducting the audit and reporting on the
work (GAGAS 3.04).
b. Independence comprises: GAGAS 3.03:
(1) Independence of Mind. The state of mind that permits the performance of an audit
without being affected by influences that compromise professional judgment, thereby allowing
an individual to act with integrity and exercise objectivity and professional skepticism.
(2) Independence in Appearance. The absence of circumstances that would cause a
reasonable and informed third party, having knowledge of the relevant information, to
reasonably conclude that the integrity, objectivity, or professional skepticism of an audit
organization or member of the audit team had been compromised.
c. Professional Judgment. Auditors must use professional judgment in planning and
performing audits. Professional judgment includes exercising reasonable care and professional
skepticism. Reasonable care includes acting diligently IAW applicable professional standards
and ethical principles. Professional skepticism is an attitude that includes a questioning mind
and a critical assessment of evidence. Professional skepticism includes a mindset in which
auditors assume neither that management is dishonest, nor of unquestioned honesty (GAGAS
3.60-3.61).
d. Competence. The staff assigned to perform the audit must collectively possess adequate
professional competence needed to address the audit objective and perform the work IAW
(GAGAS 3.69).
e. Technical knowledge. Staff assigned to conduct an audit IAW GAGAS should
DeCAM 90-5.1
August 15, 2014
8
collectively possess the technical knowledge, skills, and experience necessary to be competent
for the type of work being performed before beginning work on the audit (GAGAS 3.72).
f. Continuing Professional Education (CPE). Auditors performing work IAW GAGAS,
including planning, directing, performing audit procedures, or reporting on an audit conducted
IAW GAGAS, should maintain their professional competence through CPE. Therefore, each
auditor performing work IAW GAGAS should complete, every 2 years, at least 24 hours of CPE
that is directly related to government auditing, the government environment, or the specific or
unique environment in which the audited entity operates. Auditors who are involved in any
amount of planning, directing, or reporting on GAGAS audits, and auditors who are not involved
in those activities but charge 20 percent or more of their time annually to GAGAS audits should
also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE) in every 2-year
period. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of
CPE in each year of the 2-year periods (GAGAS 3.76).
g. Quality Control and Assurance. Each audit organization performing audits in IAW
GAGAS must:
(1) Establish and maintain a system of quality control that is designed to provide the
audit organization with reasonable assurance that the organization and its personnel comply with
professional standards and applicable legal and regulatory requirements, and
(2) Possess an external peer review performed by reviewers independent of the audit
organization being reviewed at least once every 3 years (GAGAS 3.82).
h. Internal Quality Control System. The first and primary elements for ensuring the
quality of audits are the team lead and supervisory review of the project documentation. The
degree of Team Lead and supervisory review depends on the skill level of the staff assigned, the
complexity of the review, and the amount of day-to-day supervision required. Team lead and
supervisory signatures on documentation throughout the project is the primary, but not the only,
documentary evidence used to determine compliance with the supervision fieldwork standard.
Evidence of good supervision is ultimately visible in the quality of the project documentation file
and final report.
5. Types of Audit Services.
a. Performance Audits. Performance audits provide information to improve program
operations and facilitate decision making by entities that are responsible for overseeing or
initiating corrective action and improving public accountability. Performance audits provide an
objective and systematic examination of evidence to provide an independent assessment of the
performance and management of a program against established criteria. Performance audits can
also be used to provide an assessment of best practices and other information (GAGAS 6.01-6.85
and 7.01-7.44).
DeCAM 90-5.1
August 15, 2014
9
b. Financial Audits. Financial audits provide assurance as to whether financial statements
are presented fairly, in all material respects, in conformity with generally accepted accounting
principles (GAAP). Financial audits are to be performed according to GAGAS and Office of
Management and Budget (OMB) requirements, both of which are incorporated into the
Government Accountability Office/President’s Council on Integrity and Efficiency (GAO/PCIE)
Financial Audit Manual (FAM) (GAGAS 4.01-4.48).
c. Attestation Engagements. Attestation engagements involve examining, reviewing, or
performing agreed-upon procedures on a subject matter or an assertion about a subject matter
and reporting on the results. Attestation engagements can cover a broad range of financial or
nonfinancial subjects and can be part of a financial or performance audit. To perform an
attestation, there must be an assertion or defined subject matter that is the responsibility of
another entity and measurable criteria that are suitable and available to evaluate the assertion or
subject matter (GAGAS 2.7-2.11 and 5.03-5.4).
6. Nonaudit Services. Nonaudit services are professional services other than audits provided by
audit organizations. Nonaudit services include assistance provided to management officials
requested by decision makers without verifying, analyzing, or evaluating the information or data.
Request by management officials to perform nonaudit services must be carefully evaluated to
ensure that CCIA is not placed in situations that could lead reasonable third parties to conclude
that we are not able to maintain independence in conducting audits. CCIA must avoid situations
that could lead reasonable third parties to conclude that we as an organization are not able to
maintain independence in conducting audits. Requests to perform nonaudit services should be
accepted only on an exception basis, for very compelling reasons, and be approved by the
Director, CCIA. Nonaudit services can include performing tasks that directly support the
Agency executive group operations or providing information on data without verifying,
analyzing, or evaluating the information or data. A nonaudit statement is completed and filed in
TeamMate for each nonaudit engagement, (Appendix B). Audit organizations in government
entities frequently provide nonaudit services that differ from the traditional professional services
provided by an accounting or consulting firm to or for the audited entity. These types of
nonaudit services are often performed in response to a statutory requirement, at the discretion of
the audit organization, or for legislative oversight body or an independent external organization
and do not impair auditor independence. The following two overarching principles apply to
auditor independence when assessing the impact of performing a nonaudit service for an audited
program or entity (GAGAS 2.12-2.13 and 3.14).
a. Audit organizations must not provide nonaudit services that involve performing
management functions or making management decisions.
b. Audit organizations must not audit their own work or provide nonaudit services in
situations in which the nonaudit services are significant or material to the subject matter of the
audits.
DeCAM 90-5.1
August 15, 2014
10
7. TeamMate Suite for Audit Documentation. TeamMate is a suite of products combining
both desktop and web-based technologies. The suite allows auditors to identify, schedule,
document, report, and track time and expenses on audits using a modular approach. It is located
on each auditor’s hard drive through access of TeamMate database which is stored on DeCA’s
Information Technology Server. TeamMate Electronic Working Papers (EWP) is DeCA’s CCIA
automated application that allows auditors to complete all phases of the audit documentation and
review processes. TeamMate Software Version 9.1.1 is currently used within CCIA with future
upgrades as they become available, (Appendix C).
DeCAM 90-5.1
August 15, 2014
11
CHAPTER 2
AUDIT LIFE CYCLE AND MANAGEMENT
1. Overview. The audit life cycle begins with the planning phase and extends through audit
reporting and follow-up (See Figure 1). The audit team consists of CCIA staff auditor(s), lead
auditor, Deputy Director for Audit (Supervisory Auditor), and Director CCI. This section
provides broad, general background information on the audit process.
2. The Audit Process. The audit life cycle consists of four major phases: planning, fieldwork,
reporting, and follow-up. The planning phase encompasses all actions to identify potential audit
subjects, perform a risk assessment, prepare the annual audit plan, perform preliminary audit
planning, define audit objectives, thoroughly plan the audit, and develop the audit program. The
fieldwork phase includes gathering sufficient and appropriate evidence to support audit results
and provide a basis for specific recommendations. During the reporting phase, the auditor
prepares the audit report to present identified findings and recommendations so management can
take appropriate corrective actions without the need for further review or study. This phase
culminates with the receipt of management comments and the issuance of the final report. The
audit team receives and evaluates management comments, prepares, as well as distributes the
final report, and selects recommendations for subsequent follow-up. The follow-up phase
determines whether actions taken by management corrected the cited deficiencies.
Figure 1 – Audit Process Defined
DeCAM 90-5.1
August 15, 2014
12
a. Identifying Suggestions for Audit Subjects. Audit subjects are identified in a variety of
ways.
(1) Potential Audit Needs. Auditors identify potential problems (“audit needs”) from a
variety of sources including observations outside the scope of current audits, discussions with
management officials and operating personnel, reviews of other audit and inspection reports,
personal experience, organization mission plans, and professional judgment. Auditors document
audit requirements on working papers. These informal working papers represent an inventory of
“reminders” to assist in developing audit plans. Potential Audit Needs working papers should
identify the DeCA activity, the potential problem (along with significance and recommended
audit approach), the disclosure source (if applicable), and the estimated required staff hours. A
suggested format for documenting potential audit needs is provided at (Appendix D). The
Deputy Director for Audit will maintain a file of audit need documents and an informal log to
record the date the auditor prepared the audit need, the activity involved, the unit, a descriptive
title, and the disposition (included or not included in the annual plan).
(2) Call for Audit Suggestions. To develop the annual plan, the Director, CCI will send
out a Call for Audit Suggestions to all senior DeCA management and members of the DeCA
Board of Directors.
(3) Follow-up Audits. Include follow-up audits in the annual plan, when applicable.
(4) Entrance and Exit Conferences. Questions and comments during conferences may be
outside the scope of the current audit, but could present a potential audit need.
(5) Public Accountant Recommendations. Follow-up on public accountant report
recommendations to determine whether significant problems detected in the public accountant
reports were corrected.
(6) Mission Directives. Audit office staff will review DeCA “mission directives” to
determine whether there is potential for audit subjects.
(7) Significant Activities. Significant Activity Reports often mention subjects of interest
to management.
b. Risk Assessment. DeCA’s Deputy Director for Audit (Supervisory Auditor) will use a
risk-based planning approach to develop the annual audit plan. This process is described below.
(1) Develop audit suggestions throughout the year following the guidance in (chapter 2,
paragraph 2.a.) of this Manual.
(2) Evaluate the potential audit subjects in terms of the nine risk assessment factors
described in the Risk-Based Planning Factors Model in (Appendix E).
(3) Calculate a risk assessment score for each potential audit subject using the model.
DeCAM 90-5.1
August 15, 2014
13
(4) Rank audit subjects by their risk assessment score.
(5) Select audit subjects and prepare the annual plan.
c. Annual Audit Plan. The Annual Audit Plan is the document created which contains the
plan of action for the Internal Audit Division to accomplish selected audits, ongoing audits,
identify potential future audit topics and identify available audit hours. DeCA CCIA audits
evaluate a variety of subjects, DeCA-wide, at various levels of management and corporate
organization. These audits target subjects with significant investment or sensitivity, or that affect
operational capabilities and results. The annual audit plan outlines DeCA CCIA goals and
objectives and represents the basis for allocating resources among the various types of audits.
Management responsibilities for implementing the Annual Audit Plan or any deviations
determined otherwise include:
(1) Goals and Objectives. The Deputy Director for Audit (Supervisory Auditor)
establishes performance goals and objectives annually. These goals and objectives represent
targets for the audit effort and establish the CCIA contribution to the overall Agency goals and
objectives.
(2) Scheduling Audit Subjects. The Deputy Director for Audit (Supervisory Auditor)
commits to a particular audit because good reason to perform the audit was identified and
documented during audit plan development. In selecting subjects, the Deputy Director for Audit
(Supervisory Auditor) considers all available data, including data gathered for the risk
assessment.
(3) Planned Audits. Unless higher priority subjects arise during the year, the Deputy
Director for Audit (Supervisory Auditor) should normally select subjects from the annual audit
plan. To the extent possible, higher risk subjects should be selected first.
(4) Requested Audits. The Deputy Director for Audit (Supervisory Auditor) will
schedule audit requests to start as soon as practical and will advise the requesting official of the
approximate start date.
d. Audit Notification/Planning. This segment of the process begins when the audit team
issues the audit announcement memorandum/email and begins research. The audit team acquires
background information needed to prepare the audit program, identify potentially deficient
conditions (potential audit results) and their probable/possible causes, identify significant
internal controls, and assess the program’s risks. During this phase, the audit team will also
prepare for and conduct the entrance conference.
e. Audit Execution/Fieldwork. This segment begins after the audit program is approved and
generally ends when the audit team fully executes the audit program.
(1) Audit Program. The audit team identifies and limits the audit objectives to those that
fulfill the audit’s purpose. The auditor then develops audit steps for each objective that will
enable the auditor to fully document and substantiate the potential deficiencies, underlying
DeCAM 90-5.1
August 15, 2014
14
causes, and impact. At a minimum, each audit program will include steps to confirm compliance
with significant controls identified during the planning phase as well as the sample selection
method. The completed set of audit steps comprises the audit program. The audit program
development is the last part of the Planning Phase of the Audit Life Cycle.
(2) Audit execution includes data gathering, summarization and analysis, validation,
writing the draft report, conducting an exit conference, and sending the report out for comment.
Execution begins when the auditor starts applying the audit program and ends when the audit
team receives management comments.
(a) Data gathering is all the fieldwork the auditor performs, as outlined in the audit
program, to gather evidence to support the audit objectives and potential findings.
(b) Summarization and analysis include compiling and evaluating audit results,
drawing conclusions, and identifying potential findings.
(c) Validation is the discussion of potential audit results with the auditee(s) during
(not after) the audit. Either the auditee(s) agrees with (validates) the audit results, or the
auditee(s) disagrees and provides evidence to support their opposing position. As a result of
these discussions, additional audit testing may be necessary to obtain further support for the audit
findings or to validate the new evidence presented by the auditee(s).
(d) The discussion draft report includes providing a copy of the draft report to those
auditees the auditor(s) worked directly with. The purpose of the discussion draft is to provide
results to the program representatives and obtain their comments before the draft report is
submitted to management for comments.
f. Draft Report. The reporting phase includes drafting the audit report, reviewing the draft
report, discussing the report, and providing the report to the subject matter experts (SME) and
Executive Directors for concurrence/non concurrence, and comments.
g. Final Report. This phase begins when the audit team receives management’s response to
the draft report and ends with final report distribution. This phase includes evaluating
management comments, preparing the final report, publishing and distributing the final report,
and selecting recommendations for follow-up.
h. Follow-up Report. This phase begins after completion of the final report and ends when a
follow-up report is published. Follow-up is an integral part of good management and is a
responsibility shared by management and auditors. Follow-up can determine whether
management took the recommended actions or satisfactory alternatives, and whether the actions
taken were effective in eliminating the deficiencies.
3. Life Cycle and Management Responsibilities.
a. CCI Director’s Responsibilities. The CCI Director, as second-level supervisor, shall:
DeCAM 90-5.1
August 15, 2014
15
(1) Approve overall objectives and audit programs.
(2) Monitor audit progress and approve requests for deviation from the approved project
plan (e.g., changes in audit project milestones, resource limits, or objectives).
(3) Promptly act on identified problems (such as access denials by management and
disagreements with management officials).
(4) Review and approve final audit reports for release to management and assure they
comply with GAGAS and DeCA CCIA guidance.
(5) Establish procedures to ensure required quality assurance procedures (e.g.,
supervisory review and independent reference reviewing) are accomplished.
(6) Review a minimum of one set of audit working papers every 3 months. After
completing the working paper review, the CCI Director will discuss the review results with the
auditor and supervisor.
b. The Deputy Director for Audit’s (Supervisory Auditor) Responsibilities. The Deputy
Director for Audit (Supervisory Auditor), as first-level supervisor, shall:
(1) Maintain contact with local management and develop audit issues to include annual
audit plans.
(2) Provide auditors with project assignments, guidance, technical assistance, and
training.
(3) Monitor audit progress and keep the CCI Director informed of projects.
(4) Ensure audits are conducted IAW government auditing standards and DeCA CCIA
audit policies and procedures prescribed in this Manual.
(5) Approve the audit program.
(6) Act on identified problems (e.g., access denial or disagreements with management
personnel). Elevate to the CCI Director, problems that cannot be resolved.
(7) Evaluate requests to deviate from audit project milestones, resource limits, or
objectives. If deemed appropriate, elevate requests to the CCI Director for approval.
(8) Review and approve draft audit reports for release to management and assure they
comply with GAGAS and DeCA CCIA guidance.
(9) Appoint an auditor not associated with the audit to independently reference and
review the draft report before soliciting management comments.
DeCAM 90-5.1
August 15, 2014
16
(10) Review and approve the evaluation of management comments before the CCI
Director’s review.
c. Lead Auditor Responsibilities. Lead auditor performs oversight of audit planning,
execution, and reporting.
(1) Review and approve finding outlines, IAW directorate policy.
(2) Participate in developing and finalizing finding outlines.
(3) Ensure auditors conduct all assignments IAW government auditing standards and
DeCA CCIA audit policies and procedures prescribed in this Manual.
(4) Review and approve all auditor working papers. In addition, document comments for
working papers reviewed, dates of reviews, and review results in TeamMate (i.e., coaching
notes).
(5) Assist auditors in planning the audit, review planning working papers, and evaluate
research results.
(6) Act on identified problems (e.g., access denial or disagreements with management
personnel). Elevate to the Deputy Director for Audit (Supervisory Auditor) problems that cannot
be resolved.
(7) Participate in entrance conference, validation, exit conference, and any relevant
discussions with management officials.
(8) Review the evaluation of management comments before Deputy Director for Audit
(Supervisory Auditor) review.
d. Auditor Responsibilities. Auditors manage assigned audit projects IAW government
auditing standards and DeCA CCIA policies and procedures. Auditors shall:
(1) Conduct audit projects IAW government auditing standards and DeCA CCIA
policies and procedures prescribed in this Manual and Reference (a).
(2) Document all work performed and evidence gathered, in TeamMate electronic
working paper files. The auditor must use the file structure in TeamMate to prepare and
maintain working papers. Auditors may add to, but not delete from, the TeamMate file structure.
(3) Respond to TeamMate coaching notes in a timely manner, normally 2 to 3 workdays.
(4) Perform research/planning, evaluate planning results, formulate audit objectives, and
prepare the audit program.
DeCAM 90-5.1
August 15, 2014
17
(5) Develop a separate finding outline for each potential audit result.
(6) Gather data to support steps in the audit program. Answer all audit steps and assure
sufficient and appropriate evidence is gathered to reach a conclusion on each announced
objective. Validate the audit conclusions with management officials.
(7) Resolve or elevate problems (such as access denial or disagreements with
management personnel; significant audit results requiring interim reporting; and potential need to
deviate from audit milestones, resource limits, or objectives).
(8) Summarize audit results, identify report issues, prepare the draft report, and elevate
the completed draft through the Lead Auditor to the Deputy Director for Audit (Supervisory
Auditor) for approval. Once approved, discuss the report with management officials.
(9) Evaluate management comments, prepare the final report, and complete and finalize
the working papers.
4. Audit Project Management. DeCA CCIA uses TeamMate to plan and manage individual
audit projects (allocate audit resources and track project completion). At the start of each
assignment, the audit team enters project information (milestones and resources) into TeamMate.
The audit team continuously updates TeamMate to reflect actual milestone completion and
resource use.
5. Timely Audit Completion. The timely completion of audits provides an essential service to
management. The auditor’s goal is to provide a report that is of maximum use, providing
relevant evidence in time to respond to officials of the audited entity, legislative officials, and
other users’ legitimate needs. Toward this end, CCIA audit teams (Auditor, Lead Auditor,
Deputy Director for Audit (Supervisory Auditor), and CCI Director should establish realistic
milestones in TeamMate at the start of each audit, and the Deputy Director for Audit
(Supervisory Auditor) should carefully review Project Plan Reports to monitor team progress in
meeting the milestone and resource targets. To assist in making timely decisions relative to the
audit resource investment, the CCI Director should establish thresholds (resource and milestone)
that, if exceeded, require a conference from the audit team.
DeCAM 90-5.1
August 15, 2014
18
CHAPTER 3
AUDIT PLANNING
1. Overview. The main purpose of audit planning is to obtain all the information needed to
determine the audit scope and objectives, and to develop the program for subsequent in-depth
audit work. The actual amount of planning work accomplished will vary from audit to audit and
depend mainly on the audit team’s experience, familiarity with the subject area, and
understanding of the control environment. This section identifies planning responsibilities and
provides guidance for conducting planning (Appendix D), “Audit Planning Program,” provides
additional guidance.
2. Planning Responsibilities.
a. The CCI Director shall:
(1) Approve new audit assignments and their objectives.
(2) Verify audit planning was conducted IAW DeCA CCIA policies and procedures
during working paper reviews (chapter 2, paragraph 3.a. (6)) and provide feedback to the
auditor and supervisor.
(3) Ensure audit projects are completed in TeamMate (Appendix C).
b. The Deputy Director for Audit (Supervisory Auditor) shall:
(1) Coordinate audit assignments with the CCI Director.
(2) Periodically monitor auditor progress during planning, provide assistance as needed,
and ensure audit planning is conducted IAW DeCA CCIA policies and procedures.
(3) Review and approve the audit program, and ensure it includes the agreed-upon
objectives and a series of steps that would reasonably accomplish each objective.
(4) Ensure audit projects are completed in TeamMate (Appendix C).
(5) Electronically sign off reviewed working paper files.
(6) Prepare significant activity report for bi-weekly submission to the CCI Director.
c. The lead auditor shall:
(1) Monitor auditor progress during planning, provide assistance as needed, and ensure
the auditor conducts planning IAW DeCA CCIA policies and procedures.
DeCAM 90-5.1
August 15, 2014
19
(2) Participates in or conducts the entrance conference.
(3) Ensure the auditor uses the Audit Planning Program (Appendix F) and either
completes each step or provides rationale for not completing the step in TeamMate working
papers.
(4) Review planning working papers, and document the review in TeamMate (i.e.
coaching notes).
(5) Complete the planning work paper review before the auditor begins audit execution.
(6) Electronically sign off reviewed working paper files.
(7) Ensure audit projects are completed in TeamMate (Appendix C).
d. The auditor(s) shall:
(1) Conduct audit planning IAW DeCA CCIA policies and procedures.
(2) Prepare the audit announcement memorandum/email for Deputy Director for Audit
(Supervisory Auditor) signature/transmission and participate in or conduct the audit entrance
conference.
(3) Prepare an audit program that includes the audit announcement objectives and a
series of detailed steps to answer each objective. The audit program will include the elements
described in (chapter 3, paragraph 8).
(4) The auditor will prepare the Audit Planning Program (Appendix F) using the
planning steps template in TeamMate.
(5) Document the results of planning discussions, audit tests, internal control reviews,
etc. in TeamMate working papers following the guidance in (chapter 3, paragraph 6). The
auditor will hyperlink the Audit Planning Program steps to the supporting working papers in
audit execution.
(6) Summarize planning results in TeamMate planning step 14, to include the rationale
for either continuing or terminating the project.
(7) Respond timely (within 2 - 3 working days) to the lead auditor: working paper
review coaching notes by answering questions, responding to general comments, and
accomplishing any additional directed tasks.
3. Subject Selection and Coordination. With the CCI Director’s concurrence, the assignment
of audits is normally the Deputy Director for Audit (Supervisory Auditor) responsibility. The
Deputy Director for Audit (Supervisory Auditor) should assign audit projects from the annual
DeCAM 90-5.1
August 15, 2014
20
plan to the maximum extent possible. Factors to consider include skill, experience, and interests
of the auditor; time constraints, if any; and subject priority, based on the risk analysis rating.
4. Planning - Initial Requirements. At the start of each audit project, the Deputy Director for
Audit (Supervisory Auditor) will discuss with the auditor and lead auditor the scope, objectives,
and basic approach of audit planning. The lead auditor will assist the auditor in preparing the
entrance conference (Appendix G), and conducting preliminary research.
a. Audit Announcement Memorandum/Email. The audit team provides applicable written
notification before the planned audit start date to appropriate Agency management. NOTE:
Audit teams should not provide advance notification where the element of surprise is essential in
accomplishing the audit objectives, such as front-end audits.
(1) Memorandum/Email Contents. The memorandum/email shall:
(a) Identify the audit title in the subject line.
(b) Identify the organizations to be audited.
(c) If audit objectives have not been determined, the audit notification should only
include a broad statement regarding the audit focus.
(d) Identify the assigned auditor, telephone number, e-mail address, and security
clearance, if applicable.
(e) Request the names, telephone numbers, and email addresses of the subject area
focal points.
(f) Offer to schedule an entrance conference or provide an opportunity for
management to express any concerns.
(g) Include Deputy Director for Audit (Supervisory Auditor) signature block and
distribution, if applicable. The distribution will include DeCA senior management, all
offices/groups affected by the audit, and DeCA’s Washington Office.
b. Audit Entrance Conference. The auditor and lead auditor will conduct an entrance
conference with the appropriate Agency management before beginning the audit. Inform the
appropriate Agency management of the audit purpose and scope, including the overall and
specific objectives, and identify the estimated time period of the audit (Appendix G).
(1) In-brief key personnel of the audited entity and other operating officials who have an
interest in the audit.
(2) Ask management officials if they have any concerns or points of interest regarding
the scope and objectives of the audit.
DeCAM 90-5.1
August 15, 2014
21
(3) Ask management officials to identify any reports and data they use to determine the
activity’s general health and assess how well the activity is managed. Obtain copies of
applicable reports.
(4) Document results of each entrance conference in a memorandum for record (MFR).
Include the MFR in TeamMate project working papers.
c. Preliminary Research. Auditors will perform preliminary research to familiarize
themselves with the subject and prepare for the entrance conference.
(1) Identify and review applicable DeCA and DoD directives. They provide good
sources of background information, identify internal controls, and explain operational
requirements.
(2) Review reports issued by other agencies covering the subject area posted on their
respective Web home pages.
5. Planning - Research. Auditors will gather basic background information, review prior audit
coverage, perform limited tests to identify potential findings, identify and evaluate internal
controls, assess the risk of fraud, identify management performance standards (metrics), identify
computer-generated data that will be used in the audit, and obtain input from other organizations.
Reference the Audit Planning Program, (Appendix F). NOTE: All data specified may not
apply for every audit, so auditors should use professional judgment in eliminating those steps
that do not apply, and annotate in TeamMate EWP reasons for any exclusions.
a. Basic Information of the Audited Entity. Acquire the following information, as
applicable: primary and subordinate missions and functions, budget and resource information,
organizational structure, personnel assigned, operating instructions and other supplemental
criteria.
b. Prior Audit Coverage. Review prior audit coverage within the last 3-years from the start
of the current audit. If prior audit reports are identified, obtain copies. Auditors must follow up
and report on significant findings identified and recommendations made to the audited
management level and location in prior reports, if the recommendations relate to the current audit
objectives. To identify prior audits:
(1) Review DeCA CCIA office working paper files.
(2) Ask the audit client, or the applicable audit focal point, about prior audits.
(3) Review prior audit coverage of DoDIG and GAO.
c. Internal Controls. GAO standards require that auditors review and evaluate internal
controls during all audits. The purpose is to (a) determine if the established controls are working
DeCAM 90-5.1
August 15, 2014
22
as intended and (b) provide reasonable assurance of detecting or preventing errors, irregularities,
inefficiencies, or uneconomical practices.
(1) Identify Internal Controls. During planning, the auditor will identify the internal
controls (processes and procedures) established and implemented to account for and protect
assets, assure accurate reporting, and efficiently and effectively accomplish the mission of the
activity under review. This step is normally accomplished through review of regulations and
operating instructions, discussions with managers and operating personnel, physical inspection,
review of internal control reports (assessments performed to meet the requirements of the
Federal Managers Financial Integrity Act), and reviews of prior audit reports.
(2) Flowchart Controls. The auditor must gain an understanding of the activity’s control
environment and flow of transactions. Flowcharts assist in this process by providing a graphic
portrayal of the operation. They help the auditor visualize and comprehend the activity’s work
processes. They are also beneficial in evaluating the adequacy of controls; therefore, use
flowcharts whenever feasible. Time constraints and the size and complexity of the activity are
factors the auditor considers before reaching a decision to use flowcharts. When the auditor does
not use flowcharts, a written narrative of the operation must be used.
(3) Test Controls. During planning, auditors should perform limited tests to assess
compliance with established controls and to form a preliminary opinion on their effectiveness.
These tests will help the auditor determine the nature, timing, and extent of any additional
detailed audit tests deemed necessary.
(a) If the auditor concludes the controls are adequate, the auditor should reduce the
extent of detailed testing during audit execution.
(b) Conversely, if the auditor doubts the reliability of controls or elements thereof,
the auditor should accomplish further in-depth audit work in the areas identified.
d. Fraud. While reviewing controls, the auditor must be alert to situations or transactions
that could be indicative of fraud (errors, irregularities, and illegal acts). The warning signals
discussed below will assist the auditor in identifying potentially fraudulent situations.
(1) Difficulty in Obtaining Evidence. This signal includes difficulty in obtaining audit
evidence with respect to unusual or unexplained transactions, incomplete or missing
documentation and authorizations, and alterations in documentation or accounts.
(2) Inadequate Controls. Noncompliance and lack of oversight are two important
control-related problems that would allow fraud to occur without detection.
(3) Unexplained Fluctuations. Unusual or unexplained fluctuations in material account
balances, physical inventories, and inventory turnover rates.
(4) Performance Problems. Encountered performance problems such as delayed,
evasive, or unreasonable responses to audit inquiries.
DeCAM 90-5.1
August 15, 2014
23
(5) Dispersed Locations. Widely dispersed locations accompanied by highly-
decentralized management and inadequate reporting systems.
(6) Electronic Data Processing Weaknesses. Known continuing weaknesses in internal
controls over access to computer equipment or electronic data entry devices.
e. Metrics. Metrics are objective standards management uses to assess performance. These
standards may be in the form of an error rate, on-time rate, out-of-tolerance rate, etc.
Management’s success in achieving (or failure to achieve) the established metrics provides a
prime indicator of the organization’s effectiveness. During audit planning, the auditor should
gather information regarding the identified metrics. During execution, the auditor should
determine if the metrics were correctly computed and accurately reported.
f. Computer-Generated Data. GAO standards require that “when computer-generated data
are an important or integral part of the audit and the data’s reliability is crucial to accomplishing
the audit objectives, auditors need to satisfy themselves that the data are relevant and reliable,”
(Appendix H). During audit planning, auditors will identify the computer-generated data and
reports they will rely on during application to support audit conclusions. During execution,
auditors will test to verify data reliability (chapter 3, paragraph 8. h) and document results in
working papers.
g. Input from Other Organizations. Evidence obtained from a competent and credible third
party SME is more reliable than that obtained from the audit client. Organizations that work
with the audit client often have a good understanding of the audit client’s strengths and
weaknesses. Therefore, the auditor can generally benefit by obtaining input from personnel who
interact with the audit client.
6. Planning - Working Paper Requirements. Auditors will plan, prepare, assemble, and
summarize audit planning working papers for every assigned audit project.
a. Follow the specific procedures for uniform working paper organization and presentation
required in this manual, (chapter 4, paragraphs 3 through 5).
b. Use TeamMate electronic working papers and the file structure specified therein.
c. Beyond these procedures and requirements, auditors must use professional judgment and
initiative in determining the manner of presentation.
7. Planning Summary Working Paper. At the conclusion of research/planning, the auditor
will prepare a working paper that summarizes the results and provides rationale to conduct an in-
depth audit or to terminate the audit without further audit work. Include the following elements:
a. Background Information. Provide sufficient detail to enable the audit team to understand
the program, system, or function.
DeCAM 90-5.1
August 15, 2014
24
b. Management Contacts. Identify the unit officials contacted during research and their
suggestions related to the audit scope, if any.
c. Control and Fraud Assessment. Provide a preliminary assessment of the effectiveness of
established controls, including an assessment of the risk of abuse or illegal acts (fraud) occurring.
d. Computer-Generated Data. Identify the computer-generated data that will be used during
the review to support audit conclusions, if any.
e. Prior Audits. Provide an assessment of the effects of previous audits with similar
objectives on the proposed review, if any.
f. Research Results. Identify potential findings: condition, cause, impact, criteria, and
Potential Monetary Benefit (PMB), if any.
g. Rationale to Continue or Terminate the Audit:
(1) Continuing the Audit. Recommend conducting further audit work if (a) planning
results indicated the audit subject is sufficiently material or (b) the planning tests performed
identified potential problems. The summary should estimate the time required to complete the
audit and provide proposed completion dates.
(2) Terminating the Audit. Recommend terminating the audit if (a) the audit subject is
not sufficiently material, and (b) planning tests did not identify significant potential problems.
(a) Consider issuing a report at the end of planning if the auditor accomplished
sufficient work during planning to support any statement made in the report. Most often, a clear
report will be issued in this circumstance. Qualify the audit scope to ensure readers are fully
aware of the limited testing done.
(b) If you decide not to issue an audit report, issue a closure memorandum to the
applicable management official and reference the announcement memorandum/email. Advise
the addressee why the audit work was terminated, and explain that an audit report will not be
issued. Provide the closure memorandum/email to offices that received the audit announcement
memorandum/email and others that attended the entrance conference.
h. Hyperlinks. The auditor will hyperlink (cross-reference) all pertinent elements of the
summary working paper (TeamMate Exception) to supporting working papers (TeamMate
Procedures).
8. Audit Program. The audit program is a “living” document, and the auditor should begin
writing the program during the audit planning. The auditor must complete a written audit
program before starting any in-depth audit work. The lead auditor will review the program for
adequacy and obtain approval from the Deputy Director for Audit before the auditor starts
DeCAM 90-5.1
August 15, 2014
25
detailed audit testing. The program must provide understandable audit objectives and a series of
program steps that will reasonably accomplish each objective. NOTE: The auditor should
remember that, as audit work continues, it often becomes necessary to modify the audit program
to adapt to existing conditions in the field. Changes to the audit program should also be
approved by the Deputy Director for Audit. Reference the Audit Planning Program.
a. General Guidelines.
(1) The audit program will identify the objectives of the audit and provide a systematic
series of audit procedures, tests, or steps to answer each objective.
(a) Gather sufficient and appropriate evidence to convince a reasonable person of the
validity of the audit results. The amount and type of audit testing and evidence gathering
depends on the judgment of the auditor and Deputy Director for Audit.
(b) Design audit tests and data gathering procedures to facilitate subsequent
summarization and reporting. Using spreadsheets and tables will greatly aid in summarizing
data. Planning for summarization and reporting during program development will reduce the
time needed to complete the audit. NOTE: If the auditor develops spreadsheets or databases for
use in the audit program, the Deputy Director for Audit should (during subsequent working
paper reviews) perform basic internal consistency and logic checks to verify the accuracy of
worksheet formulas and calculations or to test the logic used in making database queries.
(2) Whenever possible, the auditor should use computer assisted auditing tools and
techniques (CAATTs) to obtain a 100 percent data download and draw conclusions for the entire
population.
(3) When use of CAATTs is not feasible, use sampling, if possible, to accomplish audit
objectives and maximize use of available audit resources. Select samples statistically whenever
possible. Use of statistical sampling is essential when the need exists to estimate PMB or the
extent of an error within an entire audited entity.
(a) Clearly identify the sampling plan and data requirements.
(b) Include guidance on selection parameters and number of items for testing in the
audit program.
b. Potential Findings. Include audit steps addressing suspected problems, probable causes,
and resulting impact. Design steps to determine:
(1) Condition. Gather sufficient and appropriate evidence to support a conclusion on
each suspected problem identified during planning and to determine the extent of the problem.
Use criteria as a basis to discuss the extent of the condition.
(2) Cause. Determine the cause of identified problems. Causes will frequently relate to
control problems (chapter 3, paragraph 8. e) such as inadequate procedures, guidance,
DeCAM 90-5.1
August 15, 2014
26
oversight, or training. Steps should seek to identify the root cause. For example, it is not
sufficient to tell management that personnel did not comply with a particular requirement - this is
not the root cause. Management also needs to know if employees lacked familiarity with the
requirement; did not have time to complete the requirement due to understaffing or some unusual
circumstance; or lacked training to complete the required task. Management may contribute to
the problem by failing to provide oversight, assigning too few staff to a task, or under-
emphasizing the importance of a task. Identifying the root cause establishes the basis for a
recommendation that will correct the condition found.
(3) Effect. Quantify the effect of deficient conditions. Whenever possible, design steps
to capture “real” instead of “potential” impact.
c. Management Issues. Include audit steps that provide coverage of management’s
suggested issues or concerns, if applicable.
d. Prior Audits. Include audit steps to follow-up on prior audit results and recommendations
if, during planning, the auditor identified prior audit coverage corresponding to the audit
objectives of the current audit.
(1) Audit steps should be sufficient to determine if management took the indicated
corrective action and the action corrected the deficiency. If the condition still exists, the steps
should be sufficient to fully develop a “repeat” finding. The degree of support for repeat
findings (or to clear findings) is the same as for initial findings.
(2) Include steps to confirm the amount of PMB realized, if applicable. Unfortunately,
auditors frequently cannot trace changes in requirements and/or budgets to actual hard
documentation to ascertain the extent that a benefit actually occurred. However, auditors can
validate PMB when management makes a collection or billing or cancels a contract or purchase
request.
(3) When applicable, fully document why follow-up was not necessary or accomplished
on the findings and recommendations in prior audits with similar objectives.
e. Internal Controls. The audit program will include audit steps for each audit objective to
test the effectiveness of and compliance with the significant controls identified in
planning/research. The amount of testing will vary from audit to audit and depend on the
amount of control-related work accomplished during research and the importance of controls to
the objectives of the audit. Generally, the auditor will perform sufficient testing to ensure the
controls in place are consistently applied. The following provides guidance to use in assessing
controls.
(1) Personnel. Are a sufficient number of technically competent employees assigned to
accomplish the tasks, and have employees received adequate formal and on-the-job training?
DeCAM 90-5.1
August 15, 2014
27
(2) Documentation. Are transactions and other significant events clearly documented,
promptly recorded, and properly classified? Is the documentation readily available for
examination?
(3) Authorization. Are transactions and other significant events properly authorized and
executed only by persons acting within the scope of their authority?
(4) Separation of Duties. Are key duties in authorizing, processing, recording, and
reviewing transactions separated among individuals?
(5) Access. Is access to resources and records limited to authorized individuals, and is
accountability for resources assigned? Are resources periodically reconciled to accountability
records?
(6) Computer Systems. For computer-generated data, are system application controls in
place, are procedures documented for entering data into the computer system, and is access to the
computer system controlled?
(7) Oversight. Is qualified and continuous oversight provided to ensure personnel
comply with existing controls and internal control objectives are achieved?
(8) Compliance. If the system has a process to detect errors, perform sufficient testing to
satisfy yourself that the process has been implemented. If the system requires a separation of
duties, verify that one person does not have access to all steps of the process. If a process
requires approval, perform sufficient testing to ensure the proper individuals are properly
reviewing the task before providing the approval.
f. Fraud and Illegal Acts. Include steps that provide reasonable assurance for detecting fraud
when auditing in areas where the potential for fraud exists; and, (a) planning audit tests indicated
the existing controls were not effective or lacked compliance; or, (b) controls were not tested in
the planning phase.
g. Metrics. Verify the accuracy of any metrics identified during planning (chapter 3,
paragraphs 4.b. (3) and 5.e). Include steps in the program to determine if:
(1) Management personnel computed the metrics accurately. This involves performing
sufficient testing to determine if the metrics calculations were accurate.
(2) Management personnel reported the metrics correctly. This involves confirming the
documentation is complete and accurate and the metrics calculations were accurately and
completely reported to management.
h. Tests of Computer-Generated Data. Government auditing standards require auditors to
determine the reliability of computer-generated data when the data is crucial to accomplishing
the audit objectives. Consequently, whenever an auditor relies on computer-generated data and
reports as evidence to support an audit result, the audit program must include test steps to verify
DeCAM 90-5.1
August 15, 2014
28
the accuracy of the data and reports. NOTE: If auditors use the computer-generated data only
for background or informational purposes, citing the source of the data is sufficient.
(1) The two types of data testing methods are auditing around the computer (manual) and
auditing with the computer (automated). While the auditor may use either method, or a
combination of both, the manual method is the most common method used to test data reliability.
(a) Manual Method. Use the manual method when you have a visible audit trail to
verify computer processing results. To test data reliability; (a) confirm computer-generated data
with product users; (b) conduct physical counts and inspections; (c) review output listings for
completeness, obvious errors, and reasonableness of values; (d) trace source documents (e.g.,
purchase or receiving documents) to computer output; (e) recalculate computations; and (f)
develop additional tests deemed necessary to validate data reliability.
(b) Automated Method. The automated method uses computer-programmed tests to
measure data reliability. The auditor should take advantage of any error-checking options
available and include these in the audit program. The auditor should use various footing and
cross-footing techniques to ensure accuracy and identify errors when the data is entered into a
spreadsheet. Use range and reasonableness checks to identify obvious errors in data accuracy.
In addition, many data downloading programs contain built-in editing options. Auditors can
develop test transactions to determine whether the computer processes the transaction according
to system specifications. Consult a local computer specialist to assist in developing appropriate
tests. For additional information on this method, refer to (GAO-03-273G), “Assessing the
Reliability of Computer Processed Data,” October 2002, External Version 1, (Reference (g)).
(2) Sufficient testing will be accomplished to allow the auditor to reach one of the
following conclusions: the data was sufficiently reliable, the data was not sufficiently reliable, or
the data was of undetermined reliability.
DeCAM 90-5.1
August 15, 2014
29
CHAPTER 4
AUDIT EXECUTION
1. Overview. This section identifies audit execution responsibilities and provides guidance
auditors will use to gather data and prepare detail working papers, summarize the audit results,
document the work accomplished to assess controls and verify data reliability, and validate the
audit results with management.
2. Execution Responsibilities.
a. The CCI Director shall:
(1) During working paper review (chapter 2, paragraph 3. a. (6)), verify the audit
execution phase was conducted IAW Yellow Book standards and DeCA CCIA policies and
procedures.
(2) Monitor audit progress and provide guidance and assistance, as necessary.
(3) Evaluate, then approve or disapprove, requests for deviations from established audit
project milestones, staff hours, and objectives.
(4) Ensure audit projects are completed in TeamMate (Appendix C).
b. The Deputy Director for Audit shall:
(1) Provide supervision and guidance, as needed, to the auditor through audit execution.
(2) Discuss execution results with the auditor on a frequent, recurring basis - at least
every two weeks for experienced auditors and more frequently for new auditors and trainees.
(3) During periodic working paper reviews, spot-check table and spreadsheet footings
and extensions for accuracy, before providing the draft audit report to the CCI Director.
(4) Provide the CCI Director periodic project status reports, conferences, or other locally
developed reports advising of audit progress and results.
(5) The CCI Director will determine reporting frequency.
(6) Evaluate and elevate, to the CCI Director, requests for deviations from established
audit project milestones and objectives.
(7) Approve any changes made to the audit program during audit execution. Evaluate
identified problems (e.g., information access) and either resolve or elevate the problem to the
CCI Director.
DeCAM 90-5.1
August 15, 2014
30
(8) Ensure audit projects are completed in TeamMate (Appendix C).
c. The lead auditor shall:
(1) Lead and guide the auditor through audit execution.
(2) Review summary and supporting working papers during audit execution, and
document the review in TeamMate coaching notes. Complete the review before providing the
draft audit report to the Deputy Director for Audit (Supervisory Auditor) for review.
(a) During working paper reviews, the lead auditor will spot-check table and
spreadsheet footings and extensions for accuracy.
(b) For any comments, questions, and directions documented in TeamMate coaching
notes, the lead auditor should follow up and ensure the auditor’s reply comments are responsive.
(3) Provide bi-weekly status updates (significant activities) to the Deputy Director for
Audit (Supervisory Auditor).
(4) Elevate to the Deputy Director for Audit (Supervisory Auditor) requests for
deviations from established audit project milestones and objectives.
(5) Evaluate identified problems and either resolve or elevate the problem to the Deputy
Director for Audit (Supervisory Auditor).
(6) Ensure audit projects are completed in TeamMate (Appendix C).
d. The auditor(s) shall:
(1) Conduct the audit IAW government and DeCA CCIA auditing standards.
(2) Apply each step in the audit program and collect sufficient and appropriate evidence
to answer all audit objectives and support the audit conclusions.
(3) Keep the lead auditor informed on how the audit is progressing, and notify the lead
auditor of any results requiring possible action. It may be necessary, for example, to reduce or
terminate work on one objective, expand work on another objective, or issue an interim report.
(4) Prepare working papers to document performed work IAW (chapter 4, paragraphs
3 through 5).
(5) Timely (normally within five working days) respond to Deputy Director for Audit
TeamMate coaching notes, answering questions and providing brief explanations of actions that
will be taken.
DeCAM 90-5.1
August 15, 2014
31
3. Working Paper Requirements. Auditors will use the TeamMate working paper file
structure to establish current files for each audit project. The use of electronic working papers
greatly reduces the requirement to print and manually store audit working papers and
significantly enhances the summarization and review processes.
a. General Requirements. Organize the TeamMate working papers to facilitate supervisory
review and so that subsequent reviewers can easily follow the auditor’s logic and find support for
the audit report. The auditor must provide the lead auditor and independent reference reviewer
with a road map through the electronic working papers that clearly shows all steps taken in the
audit process.
b. Hyperlinking Files. Generally speaking, hyperlinking requirements for electronic
working papers are the same as they were for manually prepared working papers. NOTE: Do
not hyperlink to Web-based documents when it is possible to download the documents to your
computer and hyperlink to the downloaded documents. Web addresses and documents on the
Web constantly change. Further, always hyperlink to files that are part of the current project file
structure.
c. Supervisory Review. The lead auditor and Deputy Director for Audit (Supervisory
Auditor) will review project working papers and use TeamMate coaching notes to comment on
the working papers reviewed; indicate the dates they reviewed the specified working papers; and
record their review questions, taskings, and overall comments (both favorable and critical).
Also, the lead auditor must electronically sign auditor-prepared electronic working paper files.
d. Manual Working Papers. When necessary to prepare working papers manually, record
complete identification data on the first page of each working paper (Audit Number, Title,
Auditor, Date, Reviewer, Working Paper Title, Page Number, and Index). When you have more
than one page of a working paper with the same index and working paper title, you may omit
entries in the “Working Paper Title” block from all subsequent pages of the working paper.
4. Detail Working Papers (TeamMate Procedures). TeamMate procedures contain responses
to all audit program steps and any other data the auditor needs to build a firm, evidential
structure on which to base audit results, their causes and effects, and related recommendations.
Procedures can also be referred to as supporting working papers because they are linked to and
serve as support for the summary working papers (TeamMate Exceptions) (chapter 4,
paragraph 5). When preparing procedures, consider the following:
a. Step/purpose, scope/methodology, sources, criteria, results/discussion, conclusion, and
data reliability. Each procedure must clearly show these elements.
(1) Step/Purpose. This should hyperlink the reviewer to the specific audit step or series
of audit steps to state the specific purpose for the work included in the procedure.
(2) Scope/Methodology. The scope should include the parameters of work
accomplished, e.g., timeframe or applicable dollar values. The methodology should explain
DeCAM 90-5.1
August 15, 2014
32
what the auditor did to accomplish the stated purpose. If the methodology is stated in other
supporting (detail) working papers, schedules, or exhibits, hyperlinking to the applicable
working paper will suffice.
(3) Sources. The auditor should identify all sources, whether management officials, data
systems, reports, etc.
(4) Criteria. The auditor should state the “should be” status of the functional area or
issue being reviewed. If specific criteria are identified in related directives, hyperlinking to
bookmarks in these directives will suffice.
(5) Results/Discussion. This paragraph should include a description of what you
found/identified as a result of the work accomplished.
(6) Conclusion. This paragraph should state the auditor’s conclusion formulated from
the results obtained.
(7) Data Reliability. The auditor should discuss the types of evidence used to form
conclusions and the reliability of the evidence/data.
b. Exhibits and Schedules. These are among the most common types of supporting
documentation.
(1) Requirements. The wide variety of DeCA audit subjects may require the auditor(s)
to plan and design unique exhibits and schedules for each audit project. Therefore, properly
planning exhibits and schedules will ensure they provide written evidence of work performed
and pinpoint the deficient conditions. In developing an exhibit or schedule, the auditor must
determine:
(a) What the auditor(s) will prove (the audit objective).
(b) What data the auditor(s) will need to complete the exhibit or schedule.
(c) What comparisons or analyses the auditor(s) will make to prove the condition or
arrive at a conclusion.
(d) Where the auditor(s) will locate the data (filed, recorded, etc.) and how to identify
the data.
(2) Design. After determining exhibit or schedule requirements, the auditor(s) must
design a schedule or exhibit format that will clearly present the results of the audit work. Each
schedule or exhibit must contain the following basic elements (or, as applicable, hyperlinks to
files where the information is located):
(a) Title or heading that clearly identifies the schedule or exhibit and its purpose.
DeCAM 90-5.1
August 15, 2014
33
(b) Identity of the organization and/or activity involved.
(c) Applicable time periods.
(d) Sources of data presented (very important)
(e) Data used for comparison or analysis (e.g., stock number, name, quantity, or unit
cost).
(f) Conclusion or Results of the Comparison or Analysis. The conclusion or results
should contain the following: a column displaying the variances or discrepant condition
(expressed in quantities); a column showing the cause for discrepant conditions (enter a letter or
number in the column that relates to appropriately referenced footnotes to identify the causes);
and a narrative conclusion summarizing the extent of identified discrepant conditions
(materiality, frequency, cause, impact, etc.).
(3) Additional Considerations. Consider the additional information identified below in
preparing exhibits and schedules (and other supporting working papers).
(a) Neatness and clarity are essential elements of all working papers and are
particularly critical to develop meaningful and understandable exhibits and schedules.
(b) Properly hyperlink (cross reference) summary working papers (Exceptions) to the
related exhibits, schedules, and TeamMate Procedures.
(c) Keep footnotes simple. Clearly explain or define footnotes on the
page/worksheet they appear or in a separate legend on the first or last page/worksheet of the
schedule.
c. Working Paper Hyperlinks. Auditors will hyperlink (cross-reference):
(1) Supporting working papers/procedures to interdependent supporting working papers
(those supporting working papers used as a source to prepare other supporting working papers).
NOTE: Remember to download web-based documents to your computer where possible before
hyperlinking.
(2) Audit program steps to supporting working papers/procedures.
5. Summary Working Papers (TeamMate Exceptions). Prepare exceptions that summarize
the data contained in the detail working papers/procedures (audit program step responses, control
assessments, schedules, exhibits, and other related documents). Follow the guidance below on
required summary working paper elements. Proper use of summary working papers/exceptions
will significantly facilitate both report writing and working paper reviews.
a. Objective/Condition.
DeCAM 90-5.1
August 15, 2014
34
(1) The auditor will specifically state in the objective/condition tab what he or she
expected to accomplish and why. When applicable, the auditor will indicate the general criteria
(quantity, percentage, regulatory requirement, etc.) used to determine whether a deficient
condition existed. A clearly defined objective is imperative as it establishes the parameters
within which the auditor performed subsequent work. An objective such as “Reviewed DeCA
Forms XXX, Travel Authorization, for the period January 1 through March 31, YYYY” is
incomplete because it does not state what the auditor expected to determine or accomplish as a
result of the review. Instead, an objective such as “Reviewed DeCA Forms XXX, Travel
Authorization, for the period January 1 through March 31, YYYY, to determine whether all
travel authorizations were properly approved.” is a complete objective. NOTE: If the auditor
adequately stated the objective in the audit program step, then a hyperlink between the program
step and the exception will suffice.
(2) The auditor will also state the answer to the objective (condition element of the
finding). This element will always state the positive or negative condition disclosed as a result
of the detailed work performed. Ideally, this will also be the focus sentence for the audit results
paragraph in the audit report. NOTE: Include positive (deficiency-free) as well as negative
(deficient) conditions. For example, if the auditor found that “management established adequate
inventory procedures to ensure a reliable inventory,” “testing disclosed no errors,” etc., so state
in the condition. The word “none” is not acceptable to describe a positive condition. In addition
to answering the objective, the auditor will provide specific details (support), to include specific
examples or a schedule that highlights the magnitude of the deficiency. Provide support for
positive, as well as negative, conditions.
b. Cause. This is the root cause (weak or absent controls or reasons for noncompliance with
existing controls) of the deficient condition and is the element of the audit result your
recommendation addresses. If the condition is positive, the cause paragraph is not applicable.
c. Impact/Effect. This element describes the significance of the finding and identifies PMB,
if any. If no impact exists, either real or potential, then the finding is not reportable. If the
condition is positive, the impact paragraph is not applicable.
(1) If PMB is identified, the detailed working papers will clearly indicate how the auditor
computed the savings, including any rationale used in developing the PMB. For calculating and
reporting PMB, see Reference (e).
(2) For negative conditions that have weak or limited impact to management, include
“minor” or “oral,” as applicable, after the related recommendation in the working papers. Use
“minor” if planning to issue a Letter of Minor Findings memorandum (chapter 5, paragraph 3.
a. (4)) containing the condition. Use “oral” if out-conference the finding, but not including it in
a report or memorandum.
d. Criteria/Background. These are the guidelines (directives, good business practices, law,
etc.) and other information you used to evaluate the audited function. In addition, you may need
to include function-specific data that would be important for the audit report reader to know to
better appreciate the significance of the finding. For example, you may want to state that the
DeCAM 90-5.1
August 15, 2014
35
function had recently undergone reorganization, or that the Commissary Advanced Resale
Transaction System (CARTS) front-end system had only been in use for three months at the
location audited, or a Black Belt assessment resulted in recommendation to improve program
internal controls. If the auditor adequately stated the criteria or applicable background data in
the audit program or related procedures section, then a hyperlink between that information and
the exception will suffice.
e. Recommendations. This paragraph must address correction of the root cause of the
deficient condition as well as correction of any specific deficiencies identified in the “support”
for the condition element. For example, if key accountable internal controls were missing or
weak, you would have recommendations to establish and implement or strengthen applicable
controls. If, as part of the condition support, the auditor concluded that accountable keys were
kept on a table in the cash office for anyone’s use without having to personally sign for the key,
then the auditor would make a recommendation to terminate this practice and require all
authorized personnel to sign for keys. If the condition is positive, the recommendations
paragraph is not applicable.
f. Summary/Exception Hyperlinks. Auditors will hyperlink (cross-reference) all pertinent
elements of the exception to the supporting (procedures) working papers, exhibits, schedules, etc.
g. Exception Working Paper Quality Check. Use the following checklist to assess the
adequacy of your exception working papers:
(1) Objective. Does the objective clearly state what you expected to accomplish and
why? If referenced to an audit program step, does the step sufficiently describe the objective?
(2) Condition. Does the first (topic) sentence state the positive or negative condition
disclosed as a result of the audit work performed (answer the objective)?
(3) Support. Does the support provide appropriate and sufficient evidence, to include
examples, to validate the condition statement and provide the proper perspective?
(4) Cause. Is this the root cause (weak or absent controls or reasons for noncompliance
with existing controls) of the deficient condition?
(5) Impact/Effect. Does this explain the full significance of the finding? Are PMB
computations and rationale used to develop PMB properly documented?
(6) Criteria/Background. Does the criteria/background identify all aspects of the
required or desired state against which you measured actual performance for each objective?
(7) Recommendations. Do the recommendations address the root cause of the condition?
If applicable, do the recommendations also correct specific deficiencies identified in the support
element of the findings paragraph?
DeCAM 90-5.1
August 15, 2014
36
6. Changes During Audit Execution. If it becomes necessary to revise (add or delete) audit
objectives during audit execution, or to terminate the audit project without issuing a report,
follow the guidance in the paragraphs below.
a. Revisions to Objectives. If, during the course of answering the audit objectives, audit
work leads to additional review areas, notify management orally of the additional objectives.
When revisions to the audit objectives cause milestone or resource changes, obtain Deputy
Director for Audit approval for the changes and update milestones accordingly.
b. Audit Program Changes. Revise the audit program to add steps to accomplish the new
objectives. The Deputy Director for Audit (Supervisory Auditor) must approve revisions to the
audit program.
c. Early Termination. If it becomes necessary to close out an announced audit without a
report, obtain CCI Director approval to close the project. Issue a closure memorandum
following the guidance in (chapter 3, paragraph 7. g. (2) and update TeamMate.
7. Data Reliability Documentation. The auditor will prepare a separately indexed working
paper/procedure entitled “Computer-Processed Data Reliability Assessment” to document the
data reliability assessment (or reasons for not performing the assessment). At a minimum, the
data reliability assessment working paper will indicate: (a) name of the computer system or
database from which auditors extracted data; (b) extent of data testing (types of tests) performed
to determine the data’s reliability; (c) results of tests conducted to assess data reliability; and,
(d) auditor conclusion on data reliability. Hyperlink the data reliability assessment working
paper to the supporting working papers. If planning results included in step 9a of the Audit
Planning Program (Appendix F) apply, use these results for this working paper and include the
required hyperlinks and narrative explanation. If the auditor did not test the data, the auditor will
document the reasons in the working papers and explain the impact on the results of the audit.
8. Audit Sampling Documentation. Auditors will document in TeamMate procedures the
methodology, computations, and inferences made from CAATTs or statistical samples used in
the audit.
a. Statistical Sampling. Auditors using statistical sampling should identify the depth of data
selected for review; criteria used for initial selections; criteria used to narrow down the initial
selection (if applicable); and techniques used to select, analyze, and evaluate the data. In
addition, the auditor should identify the size of the universe from which the sample was selected.
NOTE: If the auditor used various samples or sampling methods to achieve the audit objectives,
and the deficient conditions relate to different samples, include the related sample data with the
applicable condition provided in the exception.
b. Non-Statistical Sampling. For non-statistical (judgmental) samples, identify sample size,
what was sampled (line items, units, transactions, etc.), dollar value of the sample size (if
applicable), and time period relating to the universe from which the sample was selected. Also,
DeCAM 90-5.1
August 15, 2014
37
if the non-statistical sample includes only data with special characteristics or within certain
parameters, identify the characteristics or parameters. (Although not mandatory for judgmental
sampling, you should also identify the size of the universe if determinable with minimum effort.)
9. Validating Audit Results. The auditor will discuss (validate) audit findings with
management while conducting the audit--and not wait till the end of the audit. Early validation
of the findings will assist the auditor in obtaining management’s concurrence with the audit
conclusions, and will provide operating personnel the opportunity to correct the identified
problems before the audit is completed. The auditor will:
a. Meet face-to-face with function personnel throughout the audit to validate the accuracy of
audit data and conclusions. If function personnel believe the audit conclusions are inaccurate, or
the auditor has misinterpreted specific data, the auditor should conduct additional audit tests, as
necessary, to re-verify data accuracy and reassess the accuracy of the conclusions.
b. Discuss possible causes and proposed recommendations with management during the
validation discussions. If the auditor and management personnel agree on a course of action that
will correct the identified problems, then management can begin work during the audit to
implement the agreed-to actions. If management completes action and corrects the problem
during the audit, the auditor can note this achievement in the audit report.
c. Conduct additional audit tests, as necessary, or examine documentary evidence to
determine the validity of management officials’ statements that may impact the context,
perspective, or accuracy of audit results.
d. Document the validation discussions in the TeamMate working papers.
DeCAM 90-5.1
August 15, 2014
38
CHAPTER 5
REPORTING REQUIREMENTS
1. Overview. Reporting requirements establish the overall approach for auditors to apply in
communicating the results of the audit. CCIA is required to issue a report (either positive or with
findings) on all audits, including audits terminated at the end of the planning phase or curtailed
before completing execution, where the auditor gathered sufficient and appropriate evidence to
support an opinion. Auditors will use the guidance in this chapter to prepare, process, issue, and
assure the quality of audit reports. Audit reports are initially issued in draft format for
concurrence/non-concurrence with recommendations, and for management comments or
discussion.
2. Draft Report Responsibilities.
a. The CCI Director shall:
(1) Review each draft report and confirm the report is logically sound and opinions,
conclusions, and recommendations are reasonable, material, and consistent with the factual
information presented.
(2) Approve each draft report for discussion and subsequent release.
(3) Ensure audit projects are completed in TeamMate (Appendix C).
b. The Deputy Director for Audit (Supervisory Auditor) shall:
(1) Keep the CCI Director informed on progress in completing the draft report.
(2) Review TeamMate coaching notes.
(3) Elevate finished draft reports to the CCI Director for discussion and release approval.
The Deputy Director for Audit (Supervisory Auditor), lead auditor, and auditor share
responsibility for the accuracy, validity, and quality of the draft report submitted to the CCI
Director for review.
(4) Ensure the independent reference reviewer (IRR) statement (Appendix I) is included
in the appropriate TeamMate folder.
(5) Attend exit conferences with the auditor and lead auditor, as appropriate. If it is not
possible for the lead auditor to attend, the Deputy Director for Audit (Supervisory Auditor) will
attend.
(6) Ensure audit projects are completed in TeamMate (Appendix C).
DeCAM 90-5.1
August 15, 2014
39
(7) Release the Draft Report.
c. The lead auditor shall:
(1) Monitor auditor progress in completing draft reports and ensure reports are
completed in a timely manner. Keep the Deputy Director for Audit (Supervisory Auditor)
informed on progress in completing the draft report.
(2) Review and ensure draft reports meet Yellow Book reporting standards (Reference
(d). Record comments electronically on draft reports, using TeamMate coaching notes.
(3) Elevate draft reports to the Deputy Director for Audit (Supervisory Auditor for
discussion. The lead auditor and auditor share responsibility for the accuracy, validity, and
quality of the draft report submitted to the Deputy Director for Audit (Supervisory Auditor) for
review.
(4) Ensure the auditor thoroughly cross references the CCI Director-approved discussion
draft to exception and procedures working papers in TeamMate, as appropriate.
(5) Ensure a qualified auditor independently references and reviews the draft report
before discussing the report with management. Review and sign the IRR statement (Appendix
I) and include in the appropriate TeamMate folder.
(6) Attend exit conferences with the auditor.
(7) Ensure audit projects are completed in TeamMate (Appendix C).
d. The auditor(s) shall:
(1) Prepare the draft report IAW Yellow Book standards and DeCA CCIA policies and
procedures (References (a) and (b)). The assigned auditor(s) have primary responsibility for the
accuracy, validity, and quality of the original draft report submitted for review, and share
responsibility with the lead auditor for all subsequent revisions.
(2) Thoroughly cross-reference the CCI Director-approved draft report to
summary/exception and supporting/procedures working papers.
(3) Provide the cross-referenced draft report and supporting working papers to the
assigned IRR for verification, and answer the IRR comments via TeamMate coaching notes.
(4) If warranted, out-brief the draft report with management, and revise the report as
necessary based on the results of discussions.
(5) Notify the lead auditor when making report changes that require re-referencing; i.e.,
facts and figures and/or conclusions change.
DeCAM 90-5.1
August 15, 2014
40
3. Audit Report General Requirements.
a. Report Criteria. Issue reports, or close projects without a report, according to the
following criteria:
(1) Audit Program Completed. Issue an audit report on all projects for which auditors
completed the audit program.
(2) Projects Cancelled Before Completion of the Audit Program.
(a) Report. Issue an audit report on projects cancelled before completing the audit
program when sufficient work was performed to reach a conclusion.
(b) No Report. If sufficient work was not performed to reach a conclusion, obtain
the CCI Director’s approval to close the project without a report. Issue a closure memorandum
to cancel the project following the guidance in (chapter 3, paragraph 7g (2) (b)) and update
TeamMate.
(3) Fact-Gathering Projects. Close out fact-gathering/workload survey efforts with a
memorandum addressed to the head of the functional area visited, as appropriate.
(4) Letter of Minor Findings. Use the Letter of Minor Findings to report audit results
that do not warrant inclusion in a report of audit but which may develop into significant
problems if not corrected. Include a statement in the overall evaluation of the related audit
report, if one is issued, similar to the following: “We noted certain conditions of less
significance that we reported to the management of (name of entity) in a separate memorandum
dated Month DD, 20XX.”
b. Information. Reports will include a page of miscellaneous additional information.
(1) Additional Information. A contact is included to request additional report copies.
(2) Suggestions for Audits. A phone number, email, and mailing address are included
for submitting audit suggestions.
(3) Fraud, Waste and Abuse (FWA). The DeCA FWA Hotline number is included.
(4) Acronyms and Abbreviations. A listing of acronyms and abbreviations is included.
4. Report Format-Executive Summary. The executive summary provides the reader a brief
overview of the audit and generally consists of four sections: introduction, objectives, results,
and recommendations. To the extent practical, the summary should be limited to one page.
a. Introduction. The introduction should be brief and provide only: (1) information needed
to understand the audit conclusions; and (2) perspective on the magnitude of the audit entity.
DeCAM 90-5.1
August 15, 2014
41
Provide additional background information in the body of the report. For follow-up reports,
identify the prior report number and date.
b. Objectives. In the objectives section, explain why the audit was performed and state the
audit’s overall objective and major sub-objectives. The objectives identified in this section
should be similar to, or the same as, the objectives shown in the audit announcement
memorandum/email. If the audit was a requested audit, the objectives paragraph should note this
fact.
c. Results. The results should address the overall objective of the audit and the sub-
objectives in the same order they are listed in the objectives section. Provide positive, as well as
negative, audit results. List positive results first. NOTE: For reports that have a mix of clear
and deficient conditions, it is sufficient to identify the clear conditions in the executive summary
without further discussion in the body of the report. For reports that do not have deficient
conditions, briefly discuss the clear conditions in the body of the report.
(1) The first sentence in the results section main paragraph must contain a statement
assessing the overall audit objective as stated in the objective paragraph.
(2) Succeeding subparagraphs will provide the audit results for each audit area (sub-
objective). For each audit result, include a results paragraph that briefly summarizes the
condition and impact.
(3) Identify repeat deficiencies as “repeat findings” along with the related report
references. Reference (chapter 6, paragraph 9a (1)).
(4) If issuing a related Letter of Minor Findings Memorandum, refer to it in the overall
results paragraph as follows: “We noted certain findings of less significance that we reported to
management of the (name of entity) in a separate memorandum dated Month DD, 20XX.”
(5) For positive reports (no deficiencies), provide sufficient information to demonstrate
that the area had no deficiencies.
d. Management Corrective Actions. This paragraph is optional. If desired, the audit team
can use this paragraph to give management credit for the actions they already took to correct
deficiencies the auditor identified during the audit. Keep the paragraph brief and conclude with
the following statement: “(Reference page X for specific corrective actions.).”
e. Recommendations. Insert the recommendations.
5. Report Format. All reports will present each major audit result and group related audit
results together. Normally group by sub-objective and arrange conditions in the order of their
relative importance. Keep titles as short as possible. Identify the subject for discussion rather
than synopsize the results. For instance, use “Cash Controls” not “Lack of Control over Cash”.
NOTE: Use captions on main segments, paragraphs, and subparagraphs as needed, to draw the
DeCAM 90-5.1
August 15, 2014
42
reader’s attention to specific information. When used, boldface main paragraph captions and
underline subparagraph captions.
a. Synopsis (Optional). The audit team is highly encouraged to include a synopsis for report
sections that address more than one finding or contain one finding that is long and complex. If
included, the synopsis will briefly summarize the findings (condition, cause, and impact) in the
same order as they are discussed in the report.
b. Background (Optional). Limit the background paragraph, if used, to information needed
to understand the audit results and criteria (internal controls) used to conduct the audit. Do not
provide extraneous information that does not facilitate an understanding of the results section
issues. Include such information in (Appendix J) of the report, if considered important.
c. Audit Results/Findings. Each audit result will be titled (keep brief) and be captioned
“Finding” and include “Management Corrective Actions” (if applicable). Sections for
recommendations, management comments, and evaluation of management comments are at the
end of the report, prior to the Appendices.
(1) Condition. Include all necessary facts using specific examples or cases to
demonstrate the condition, promote an adequate understanding of the matters reported, and
provide convincing but fair presentations in proper perspective. Use tables or supporting
schedules to provide detailed statistical data and provide the reader a greater understanding of
and appreciation for the magnitude of the problem. NOTE: Do not use personal information,
such as names or social security numbers, or other extraneous information in audit reports.
(a) The first (topic) sentence should focus the reader on the condition noted as well
as the relative significance of the condition. Describe the condition found using past tense and
active voice.
(b) Clearly explain the nature, extent, and frequency of the deficiencies. Include all
necessary facts using specific examples or cases to demonstrate the deficiency. Use supporting
schedules to provide detailed statistical data or show the problem’s magnitude. Identify
locations where auditors found the condition. State to what extent (quantity, percentage, etc.)
management deviated from the established standard.
(c) State findings clearly and concisely using nontechnical terms to the maximum
extent possible. Avoid the use of vague or imprecise terminology (e.g., some, not many, not
always). Round numbers to enhance clarity of presentation. Also, avoid the use of excessively
lengthy paragraphs. Use subparagraphs and captions, when appropriate, to assist the reader’s
understanding.
(2) Cause. Identify the root cause first, followed by the contributing causes. Provide the
related criteria (if not already provided in the background). Do not include a cause for which
there is no recommendation.
DeCAM 90-5.1
August 15, 2014
43
(a) The root cause is normally weak or absent controls or reasons for noncompliance
with existing controls. It is the situation or procedure which, when changed or corrected, will
solve the problem or condition. If the activity needs to improve controls, so state. If personnel
did not follow directives, explain why not.
(b) Causes will not be subjective (i.e., the auditor should not normally indicate lack
of awareness, misinterpretation of guidance, operating personnel beliefs, etc. caused the
problem). It should be clear the discrepant conditions noted in the audit could have occurred as a
result of the cited causes.
(3) Impact/Effect. Express impact in terms of dollars or number of deficiencies in a
population. If using statistical sampling, state the impact in terms of projected errors. State the
impact in positive terms when possible, (e.g., “eliminating the problem will provide benefits”)
instead of negative terms (e.g., “failure to correct will create further problems”).
(a) In performance audits, reductions in efficiency and economy or shortfalls in
obtaining program objectives are appropriate measures of impact. Express these in quantitative
terms such as dollars, number of personnel, units of production, quantities of material, number of
transactions, or elapsed time.
(b) Provide specific examples when possible. If you cannot ascertain the actual
impact, you can sometimes use potential or inferred impact to show the significance of the
condition.
(c) If PMB is identified, include the dollar amount in the audit results paragraph, and
state how the PMB was determined.
(d) When using statistical sampling, state the impact in terms of projected errors
(e.g., “we estimate management processed between 800 and 1,000 of the 2,000 transactions
late”). When using judgmental sampling, just show test results without stating or implying an
estimate or projection (e.g., “we identified 50 of 100 work orders with labor charges exceeding
established limits”).
(4) Management Corrective Actions. When appropriate, include in the report significant
discrepancies disclosed and corrected during the audit along with an explanation of the
corrective action taken. Use the caption “Management Corrective Action” for these paragraphs,
and be sure to verify that management did, in fact, correct the discrepancy; the auditor must
document the verification work accomplished in the project working paper files. A completed
corrective action is defined as a completed action (not promised or initiated) that corrects the
cited condition and eliminates the need for a recommendation.
(a) The following is an example of typical actions that should be reported as
corrective actions completed during the audit: “During the audit, management deobligated the
unliquidated obligation (ULO) balances and trained personnel to properly perform the required
tri-annual review.” In this example, management completed two actions which corrected the
cited condition and addressed the cause cited in the audit results.
DeCAM 90-5.1
August 15, 2014
44
(b) The following example is an action that should not be reported as a corrective
action completed during the audit: “During the audit, management initiated action to obtain
funding to use in correcting the vulnerabilities cited above.” In this example, the action taken
ensured neither funding would be obtained nor would the vulnerabilities be corrected.
(5) Recommendations. Recommendations should immediately follow the results section
and be presented in same order as their related findings. The recommendations should first
address the deficient condition, if applicable, then the root cause and other contributing causes,
and finally any PMB claimed. Do not include a recommendation that does not address either a
cause or condition statement.
(a) Recommendation Requirements. Number recommendations consecutively.
(b) Each recommendation should:
1 Require only one management action, even though the report may direct
several related recommendations to the same management official. If more than one independent
management action is required, restructure into separate, numbered recommendations.
2 Normally direct recommendations one position higher than the staff/official
position (not an individual’s name) responsible for taking the corrective action. Do not direct
recommendations higher than the report addressee.
3 Recommendation Logic. The relationship between the recommendations and
the condition or the cause of the condition must be clear and logical. Each recommendation
should relate to either a cause or a condition, and conversely each cause should have a
recommendation.
4 In addition, recommend actions that are definite and avoid, to the extent
possible, such words as ensure, consider, perform a study, emphasize, and reevaluate.
5 Make two recommendations if the management action may take an unusual
length of time to complete (e.g., revising a directive). The first recommendation should provide
a permanent fix for the root cause of the deficient condition; the second should address interim
procedures to temporarily control the deficient condition until management implements the
permanent fix.
(6) Management Comments. Government auditing standards require reporting the views
of responsible management officials. Consequently, DeCA CCIA requires management
comments for each audit result (finding), recommendation, and PMB included in the audit report.
If management comments are overly long, you may paraphrase the comments and include them
in their entirety as a report attachment.
DeCAM 90-5.1
August 15, 2014
45
(a) Include management comments verbatim in the final report immediately
following the recommendations. In the draft report, provide a paragraph caption and reserve
space for the management comments immediately following the recommendations.
(b) Inclusion of management comments in a no finding report is optional. A no
finding report does not identify any deficient conditions. Conversely, a report that identifies
deficient conditions but does not contain recommendations (e.g., management corrected the
identified problems during the audit) must include a management comments paragraph.
(7) Evaluation of Management Comments. The final report will include an evaluation
addressing the responsiveness of management comments after the management comments
paragraph. In the draft report, provide a paragraph caption and reserve space for the audit
valuation statement. Do not include an evaluation of managements comments in clear reports.
6. Report Format-Appendices. Include the following appendices with each report:
background information (optional), glossary of acronyms (optional), and general audit
information (audit scope and methodology, data reliability, prior audit coverage, and discussions
with management officials). NOTE: The following appendix may also be required:
management verbatim comments (final report) (chapter 6, paragraph 3. d.).
a. Background Information. This optional appendix, if included in the report, will be the
first appendix. Use this appendix to provide: (a) pertinent background information concerning
the area reviewed; and (b) detailed information readers need to understand the report’s issues and
results. Normally, this appendix will not repeat information provided earlier in the executive
summary or the results background paragraphs. If not discussed earlier in the report, include
criteria (laws and regulatory requirements) the auditor used to evaluate operations and
management effectiveness. If the auditor’s criteria differ from management’s, explain the
auditor’s rationale for using different criteria.
b. General Audit Information Appendix. The general audit information appendix indicates
how the audit was conducted and provides other important audit parameters. The prior audit
coverage section will identify prior audits with similar objectives that the audit team followed up
on. If applicable, this appendix will also include a section titled “related reports” that includes
reports of interest in the same area as the current audit that the audit team did not follow-up on.
(1) Audit Scope and Methodology Section. The audit scope and methodology section
will include, at a minimum, audit coverage, sampling methodology, and applicable directives and
laws.
(a) Audit Coverage. The audit coverage paragraphs should contain the following:
1 Work Performed. Clearly indicate the parameters of the audit and the
methodology used in the review so the reader fully understands the work both performed and not
performed. Reference the Yellow Book, (chapter 7, paragraphs 9 through 12 and chapter 8,
paragraphs 9 through 13, (reference (d)).
DeCAM 90-5.1
August 15, 2014
46
2 Scope Limitation. If the audit scope was limited for any reason, explain why
and include qualifying statements when necessary to ensure the reader will understand the extent
of audit coverage and the basis for the auditor’s opinion.
3 Audit Time Period. Indicate when the audit was performed (from month and
year planning work began to month and year execution ended), and that the report was conducted
IAW, Reference e.
4 Documents Reviewed. Identify the documents (title and time period) reviewed
during the audit. The following examples illustrate this requirement: (a) “This audit covered
front-end department operations transactions during the 4-month period ending July 31, 20XX,”
(b) “This audit included an evaluation of travel authorization internal controls for the 3-month
period ending June 30, 20XX,” or (c) “We reviewed vehicle utilization records covering FY
20XX.”
(b) Sampling Methodology. Follow the guidance below for reporting use (or non-
use) of sampling and CAATTs.
1 Sampling. If the audit involved sampling, indicate in the report the parameters
(number of line items, units, dollar values, transactions, etc.) relating to the sample and to the
universe from which the sample (if determinable) was selected. Also, indicate the period of time
covered. Further, indicate how the sample was used (e.g., projected to the entire universe to
estimate a PMB or error rate or provide an overall assessment about an entity). If various
samples, sampling methods, etc., were used to achieve the audit objectives that resulted in
reportable conditions, consider including the sample information in the related finding paragraph
instead of in the general audit information appendix. For judgmental samples, identify the
special characteristics or parameters used in selecting the samples.
2 CAATTs. If the audit involved CAATTs, specifically say so and explain the
tools used; depth of data selected for review; criteria used for initial selection; criteria used to
narrow down the initial selection (if applicable); and techniques used to select, analyze, and
evaluate the data.
3 Non-Use of Sampling or CAATTs. If sampling or CAATTs was not used, so
state. For example, state: “We did not use statistical or judgmental samples or computer assisted
auditing tools and techniques to analyze data or project results in this audit.”
4 Data Reliability. Auditors should assess the sufficiency and appropriateness of
computer-processed information regardless of whether this information is provided to auditors or
auditors independently extract it. The nature, timing, and extent of audit procedures to assess
sufficiency and appropriateness is affected by the effectiveness of the entity’s internal controls
over the information, including information systems controls, and the significance of the
information and the level of detail presented in the auditors’ findings and conclusions in light of
the audit objectives.
DeCAM 90-5.1
August 15, 2014
47
(c) Sufficiently Reliable Data. Present your basis for assessing the data as
sufficiently reliable, given the research questions and intended use of the data. This presentation
includes: (1) noting what kind of assessment you relied on; (2) explaining the steps in the
assessment; and (3) disclosing any data limitations. Such disclosure includes:
• telling why using the data would not lead to an incorrect or unintentional message,
• explaining how limitations could affect any expansion of the message, and
• pointing out that any data limitations are minor in the context of the engagement
(d) Not Sufficiently Reliable Data. Present your basis for assessing the data as not
sufficiently reliable, given the research questions and intended use of the data. This presentation
should include what kind of assessment you relied on, with an explanation of the steps in the
assessment. In this explanation: (1) describe the problems with the data, as well as why using
the data would probably lead to an incorrect or unintentional message; and (2) state that the data
problems are significant or potentially significant. In addition, if the report contains a conclusion
or recommendation supported by evidence other than these data, state that fact. Finally, if the
data you assessed are not sufficiently reliable, you should include this finding in the report and
recommend that the audited entity take corrective action.
(e) Data of Undetermined Reliability. Present your basis for assessing the reliability
of the data as undetermined. Include such factors as short time frames, the deletion of original
computer files, and the lack of access to needed documents. Explain the reasonableness of using
the data, for example: These are the only available data on the subject; the data are widely used
by outside experts or policymakers; or the data are supported by credible corroborating evidence.
In addition, make the limitations of the data clear, so that incorrect or unintentional conclusions
will not be drawn from the data. For example, indicate how the use of these data could lead to an
incorrect or unintentional message. Finally, if the report contains a conclusion or
recommendation supported by evidence other than these data, state that fact.
(f) If computer processed data was not used or relied on, so state. For example, state:
“We did not use or rely on computer processed data to support conclusions in this audit.”
(g) In the cross-referenced draft report, hyperlink the data reliability statement to the
supporting working paper (chapter 5, paragraph 2. c. (4)).
(3) Prior Audit Coverage. Prior audit coverage applies when the current audit’s
objectives are the same as or similar to a prior DeCA CCIA, DoDIG, or GAO audit, as
determined in the planning phase (chapter 3, paragraphs 5. b, 7. e, and 8. d). It does not apply
to audits accomplished specifically to follow up on prior audit reports.
(a) Identify prior reports that required follow-up work in the prior audit coverage
section. Do not include related reports with dissimilar objectives. For audits listed in this
section, include the following information:
1 Indicate if management satisfactorily implemented the recommended corrective
actions.
DeCAM 90-5.1
August 15, 2014
48
2 State if management actions corrected the problems.
3 If the audit results in a “repeat” finding, state so in this paragraph, include it as
a regular audit result (finding) in the body of the report, and reference the audit results paragraph
in this paragraph. See (chapter 6, paragraph 9a (1)) for guidance on identifying and reporting
“repeat” findings.
(b) If no audits with similar objectives existed, so state. For example, “Our review of
audit files and contact with function officials disclosed no other audit reports within the last five
years that related to our audit objectives.”
(4) Discussions with Responsible Officials. The audit team must discuss the draft report
with responsible management officials before issuing the report for comment (chapter 4,
paragraph 9). In the report, include a paragraph stating with whom (by position title and
organization) the audit team discussed or coordinated the report. For example, “We discussed
this report with the Commissary Officer, front-end cash office personnel, and other interested
officials, at the XXXX Commissary.” Also, indicate the date (month, day, and year) you issued
management the draft report. In the final report, indicate the date you received management’s
written comments (oral comments for a clear report).
7. Report Quality Assurance.
a. Cross Referencing. The auditor will hyperlink (cross reference) the CCI Director-
approved draft report (chapter 5, paragraph 2a (2)) to the working papers. Hyperlink/
bookmark to the specific point in the working papers where the support is located. When
preparing working papers manually, cross reference the draft report by annotating in the report
margins where supporting information can be found in the working papers and, in the working
paper margins, the report paragraph dealing with the working paper item.
(1) The auditor will hyperlink the report to TeamMate exceptions working papers. As
discussed in (chapter 4, paragraph 4c), the auditor should already have cross referenced from
the exceptions to the supporting (detail) (procedures) working papers. NOTE: The auditor may
elect to cross reference directly to supporting working papers. While not preferred, this
procedure is allowed so long as the auditor has prepared an exception and hyperlinked it IAW
(chapter 4, paragraph 4. c.) In some instances, the auditor will have to cross reference to a
supporting working paper because the information is only in a supporting working paper (e.g.,
background and scope information).
(2) It is only necessary for the auditor to cross-reference the draft report once. Normally,
the auditor will cross-reference the approved discussion draft (the draft approved by the CCI
Director to discuss with management). The auditor must also cross-reference any subsequent
changes made to the discussion draft report after it is independently referenced and reviewed.
DeCAM 90-5.1
August 15, 2014
49
(3) Except as noted in (chapter 5, paragraph 7. a. (4)), the auditor will hyperlink all
reported figures, dates, direct quotations, statements of fact, and assertions contained in the
executive summary, report body, and appendices. Examples of items auditors sometimes
overlook but that require hyper linking include: positive statements in the executive summary
and report body; statements in clear reports that management orally agreed with the results;
background information, including criteria; causes for audit results; management corrective
actions (actions management took during the audit to correct audit-identified deficiencies); and
information in the General Audit Information Appendix (work performed information, data
reliability statement, prior audit coverage statement, etc.).
(4) It is not necessary to hyperlink (cross-reference) repeated information more than
once. For example, it is not necessary to hyperlink information contained in the executive
summary that is repeated in the body of the report if the same information in the body of the
report is hyperlinked to working paper support.
b. Independent Reference Reviewing. Reference reviewing is an independent review of the
draft report and working paper files by a person not associated with the audit to verify that the
report is accurate and that documentary evidence supports specific statements of fact.
(1) When to Reference Review. Independently reference review the CCI Director-
approved draft report before releasing the report for comment, as noted in draft report
processing, (chapter 5, paragraph 8. a) . The CCI Director may require earlier referencing;
however, that will require the implementation of strong controls to ensure subsequent changes to
the report are re-referenced before the report is released or discussed with management.
(2) Selecting the Independent Reference Reviewer (IRR). The IRR must be a qualified
auditor competent to do the particular referencing assignment. This competence depends on the
individual’s independence, objectivity, experience, and knowledge of DeCA CCIA referencing
and reporting requirements. Do not assign auditor trainees to independently reference review
draft audit reports.
(3) IRR Authority. When IRRs do not believe the evidence provides satisfactory
support, reference reviewers have the authority to require additional evidence they consider
acceptable. The auditor and lead auditor will provide all possible assistance in locating material,
and should be accessible for explanations (any oral explanations provided should be added to the
working papers). However, working papers should normally “stand on their own.” That is,
IRRs should not have to continually ask the auditor for assistance in finding evidence supporting
facts and figures in the report or request oral explanation of information included in working
papers.
(4) IRR Checklist. IRRs will use the IRR Checklist (Appendix I). After completion,
file the completed IRR Checklist in the Report-Processing folder with the IRR Record in
TeamMate.
(5) IRR Responsibilities. The IRR shall:
DeCAM 90-5.1
August 15, 2014
50
(a) Trace all figures, dates, direct quotations, statements of fact, and auditor
assertions in the hyperlinked (cross-referenced) discussion draft report through the summary
working papers/exceptions to the supporting working papers/Procedures to determine that they
are consistent with and supported by the working papers. NOTE: If the IRR encounters
information that the auditor did not hyperlink, except repeated information (chapter 5,
paragraph 7a (4)), then the IRR will return the report and working papers to the auditor so that
he or she can finish hyperlinking. The IRR will not omit items from the verification process
because the auditor did not completely hyperlink the report.
(b) Place a mark (using the TeamMate tick mark buttons) next to each figure and
statement of fact verified in the report.
(c) Verify the mathematical accuracy of tables, charts, figures, and schedules
included in the report.
(d) Be alert to statements in the report that seem illogical or lack clarity. If the IRR
does not understand what the auditor is trying to say, there is a good chance that management
will not understand either.
(e) Ensure the lead auditor has reviewed all supporting working papers and cleared
all TeamMate coaching notes. The IRR will not sign the IRR record certifying report accuracy
until the lead auditor has finished reviewing and signing off on the working papers and clearing
the coaching notes.
(f) Use TeamMate coaching notes (chapter 5, paragraph 7b (5)) to document all
comments, questions, and opinions pertaining to the review. NOTE: If the IRR used the IRR
Checklist (Appendix I) hyperlink the IRR Record to the checklist.
(6) Auditor Responsibilities. The auditor shall:
(a) Respond to each referencing note, indicating agreement or disagreement, and
specify the actions that have or will be taken to correct the discrepancy. For example, the auditor
may add additional support (to the working papers or cross-referencing) or change the draft
report.
(b) Elevate points of disagreement to the lead auditor for review.
(c) Notify the lead auditor when making significant changes to the report after
completing independent reference review, and cross-referencing the changes to the working
papers.
(d) Retain the independently referenced and reviewed draft report and IRR record in
the applicable folder in TeamMate. The auditor will file the referenced report, IRR certification
statement, and IRR checklist (if used) in the TeamMate Independent Reference Reviewed Report
folder.
DeCAM 90-5.1
August 15, 2014
51
(7) Lead Auditor Responsibilities. The lead auditor shall:
(a) Review all project working papers and the draft report for technical accuracy and
consistency before initiating the referencing process.
(b) Assure the IRR understands his or her responsibilities as discussed in this
chapter. If the person assigned is a first-time IRR, review with that person the requirements of
this instruction.
(c) Review the IRR’s comments, verify changes in the report resulting from the
referencing review, and resolve any disagreements between the auditor and IRR. The lead
auditor will document the rationale underlying resolved disagreements in TeamMate coaching
notes.
(d) Assure all subsequent significant changes to the report are independently
referenced and reviewed IAW (chapter 5, paragraph 7. b).
(e) Re-referencing. If the audit team makes significant changes to the report after
completing independent reference reviewing, the lead auditor must select an independent person
to re-reference and review the changed or added material. Significant changes include changes
in scope (e.g., audit universe or sample size), changes in condition (e.g., differences in number,
location, or amounts of deficiencies), new or changed examples, and any statements added to
report management corrective actions. The lead auditor will determine when to re-reference and
review, and what changes in the report need re-referencing and reviewing.
(8) Deputy Director for Audit (Supervisory Auditor) Responsibilities. The Deputy
Director for Audit (Supervisory Auditor) shall, during working paper reviews confirm the
independent referencing requirements (chapter 5, paragraph 7. b) were accomplished IAW
DeCA CCIA policy.
(9) IRR Record. When reference reviewing is complete, the IRR, auditor, and lead
auditor will sign off on the certification statement located in the same TeamMate folder: “I have
completed referencing the draft audit report for Project XXXXXXXXX, IAW requirements
established in Reference (a). All suggestions and comments have been satisfactorily resolved.
Source data included in the working papers properly support the contents and accuracy of the
draft report.”
(10) Audit Report Reviewer Checklist. As an additional quality control, lead auditors
and the Deputy Director for Audit (Supervisory Auditor) are encouraged (though not required) to
use the Audit Report Reviewer Checklist located at (Appendix J).
8. Draft Report Processing.
a. Discussions. After the CCI Director approves the draft report, if necessary to further
discuss the details prior to distributing the report for response to the recommendations, it would
be performed as a draft discussion. For the discussion, ensure the draft report is independently
DeCAM 90-5.1
August 15, 2014
52
referenced. The audit team will discuss (out-brief) the report with operating personnel,
supervisors in the chain of command, and the responsible managers and/or directors. Except for
changes resulting from the discussions, the audit team should not further change the audit report
without advising officials in charge of the audited activity. The audit team, in coordination with
management, will determine the appropriate officials with whom to discuss the report. Draft
discussions should, at a minimum, reach the Senior Executives or Directors.
b. Discussion Records. Document all out-conference discussions in TeamMate. This
documentation should include the following:
(1) Discussion dates, names, and positions of attending personnel.
(2) Discussion details.
c. Report Changes. The audit team may revise the draft report as a result of the discussions,
to add or change information or to show additional corrective action taken during audit
fieldwork. In these instances, the audit team must obtain evidence that verifies the new or
changed information or the corrective actions taken and document the results in the working
paper files. The new or revised information will require independent referencing. If the audit
team makes significant report changes after out-conference lower level operating personnel, the
audit team will: (a) obtain CCI Director’s approval for the changes; and (b) notify the lower
level operating personnel of the changes.
d. Senior Management Approval. Out-brief applicable senior management officials using
the final draft and relating lower management’s position regarding the findings,
recommendations, and potential monetary benefit, if applicable. Obtain indicator of senior
management concurrence/nonoccurrence at the out-conference and document the working papers
accordingly.
e. Draft Report Transmittal Memorandum. After discussing the report with management,
the auditor makes any agreed-to changes; the lead auditor approves the changes and distributes
the completed audit report to management for comments. The CCI Director signs the transmittal
memorandum. NOTE: The title on the transmittal memorandum will agree with the audit
announcement memorandum/email. Allow management officials 15 calendar days, on average,
to provide their comments.
f. Draft Report Distribution. Transmit the draft report to the applicable management
officials of the audited function. Before transmitting the report electronically, ensure it is free of
track change markings and report-processing comments.
DeCAM 90-5.1
August 15, 2014
53
CHAPTER 6
FINAL REPORT AND POST-AUDIT ACTIONS
1. Overview. DeCA CCIA final audit reports will include the views of responsible management
officials as a means of verifying the report’s fairness, completeness, and objectivity. Audit
teams will use the guidance in this chapter to receive and evaluate management comments, insert
management comments and their evaluation of management comments, and process the final
report. This chapter contains additional guidance auditors will use to issue final reports when
management does not provide comments, track implementation actions on recommendations
selected for follow up, and process the customer survey.
2. Final Report Responsibilities.
a. The CCI Director shall:
(1) Approve the evaluation of management comments.
(2) Sign and distribute the final report. NOTE: Before signing the final report, the
office administrative assistant should review the report for conformance with format and other
administrative requirements. The office administrative assistant will prepare cover pages and
submit the report for publication.
(3) Establish a control system to ensure significant changes between the referenced and
reviewed draft report and the final report are re-referenced and reviewed.
(4) Maintain a log of recommendations the CCIA selects for follow-up.
(5) Ensure audit projects are completed in TeamMate (Appendix C).
b. The Deputy Director for Audit (Supervisory Auditor) shall:
(1) Keep the CCI Director informed on progress in receipt and evaluation of
management comments.
(2) Review evaluation of management comments.
(3) Appoint an IRR to re-verify any significant changes between the final report and the
referenced and reviewed draft report.
(4) Identify significant report recommendations to the CCI Director for follow-up audit
planning.
(5) Ensure audit projects are completed in TeamMate (Appendix C).
DeCAM 90-5.1
August 15, 2014
54
c. The lead auditor shall:
(1) Work with management to the extent possible to ensure timely receipt of responsive
management comments.
(2) Ensure the auditor thoroughly cross-references any significant changes between the
final report and the referenced and reviewed draft report.
(3) Review and evaluate management comments to ensure they adequately address
findings, recommendations, and PMB in the report and meet the requirements of this Manual.
(4) Ensure audit projects are completed in TeamMate (Appendix C).
d. The auditor shall:
(1) Contact applicable management officials approximately 3-workdays before the
comments are due to determine if any problems exist with the draft report or with meeting the
suspense date. The auditor should also attempt to obtain advance comments from management
and provide feedback regarding the responsiveness and adequacy of those comments.
(2) Evaluate management comments to ensure they adequately address findings,
recommendations, and PMB in the report and meet the requirements of this Manual.
(3) Inform the lead auditor of any significant report changes (differences between the
final report and the independently referenced and reviewed draft report) that need re-referencing.
(4) Finalize the working papers in TeamMate.
3. Management Comments – General Guidance. To ensure reports are fair, complete, and
objective, government auditing standards require auditors to include the views of responsible
management officials in the final report.
a. DeCA CCIA Requirement. Management comments are required for each audit finding,
recommendation, and PMB included in the audit report, except as discussed in (chapter 6,
paragraph 3. a. (1)). Management must provide formal written comments signed by the
responsible senior management official or designated representative.
(1) Formal, written management comments are not required for clear reports (reports
without discrepant conditions) and for reports with discrepant conditions if management
corrected the discrepancies during the audit (i.e., no recommendation required) and the audit did
not identify PMB.
(2) If a finding corrected during the audit (i.e., no recommendation required) includes a
claimed PMB, obtain written management comments for the PMB. Do not regard silence as
DeCAM 90-5.1
August 15, 2014
55
agreement. When management agrees with the PMB, the final report must so indicate. If
management non concurs with the PMB, follow the guidance in (chapter 6, paragraph 4e).
(3) For no-finding reports and reports with no recommendations, auditors will obtain
from management oral or e-mail concurrence with the audit results, and include a statement in
the final report (chapter 5, paragraph 5.c.6. (b)) that management officials agreed with the
audit results and concurred with the issues as presented in the report. If management orally
concurs with the report, document the discussion in the working paper file. If management
provides an email response, include a copy of the email in the working papers.
b. Receiving Management Comments. When management comments are received, the
auditor and Deputy Director for Audit (Supervisory Auditor) will ensure the comments are
responsive. Specifically, the auditor and Deputy Director for Audit (Supervisory Auditor) will
ensure the management comments indicate concurrence or nonoccurrence with each audit
finding, recommendation, and PMB. The comments must also indicate the actions management
will take to correct the conditions identified in the report, provide estimated completion dates for
all agreed-to actions, and provide the rationale for any disagreements. For comments not
meeting the requirements, meet with management to identify and discuss required revisions and
establish a revised due date. Document these discussions in the working papers.
c. Electronically Transmitted Management Comments. Management may provide
electronically transmitted comments if the system for processing comments contains adequate
controls to provide reasonable assurance the applicable senior management official approved the
comments.
d. Inserting Management Comments in the Report. Insert management comments in the
management verbatim comments paragraph following the recommendations in (chapter 5,
paragraph 5c 6 (a)). Correct grammar, punctuation, or spelling errors, using caution to preclude
changes in meaning or intent.
(1) Incorporate management comments verbatim, as corrected, and begin each
management comment paragraph by stating whether management concurred or non concurred
with the recommendation (e.g., The DeCA East Area Director concurred and stated, “. . . .”).
(2) If management comments are excessively long, paraphrase or summarize them in the
body of the report and include them verbatim as an appendix to the report. NOTE: When
applicable, place the management comments appendix before the general audit information
appendix.
(3) If management personnel attach copies of various documents (policy memorandums,
studies, etc.) to their comments, include the documents in the report as an appendix if the
documents add to the reader’s understanding of the issues contained in the report. Otherwise,
incorporate the documents into the audit report by reference only and file the documents in the
working papers.
DeCAM 90-5.1
August 15, 2014
56
(4) If an estimated completion date does not appear reasonable, contact management and
determine their rationale for arriving at the planned completion date. Unreasonable completion
dates can be considered nonresponsive. If planned management action will take more than 12
months to accomplish, ensure management comments provide interim milestones with which to
track the completion of management action.
4. Evaluating Management Comments. The auditor, lead auditor, and Deputy Director for
Audit (Supervisory Auditor) will assess whether the management comments adequately address
the issues contained in the report, submit the evaluation for approval to the CCI Director, and
insert the approved evaluation in the final report (chapter 6, paragraph 4. g). If comments are
considered nonresponsive, follow the guidance in (chapter 6, paragraph 4. c. 1. (b)).
a. Management Fully Concurs. If management fully concurs with the audit findings and
recommendations, evaluate the comments as responsive and insert your evaluation in the
evaluation of management comments paragraph. Include a statement similar to the following in
the evaluation paragraph: “Management comments addressed the issues raised in the report, and
management concurred with the PMB (if applicable). Management actions taken or planned
should correct the problem(s).”
b. Management Concurs and Proposes Alternative Corrective Actions. If management
concurs with the audit results but proposes alternative corrective actions to correct the problem,
the audit team should evaluate the management comments as responsive, if the proposed actions
will correct the condition. Include a statement similar to the following in the evaluation
paragraph: “Management agreed with the audit results but proposed alternative corrective
actions to the ones recommended in the report. Nevertheless, management’s proposed
alternative actions should correct the problem.” If sufficient information is not available to make
a judgment on whether alternative corrective actions will correct the audit problem, delay the
report and perform additional audit work.
c. Management Non concurs. If management non concurs with audit results and
recommendations, review the comments and evaluate management’s logic.
(1) CCI Director Responsibilities. The CCI Director will process management
comments as a nonoccurrence if they: (a) disagree with any finding, recommendation, or PMB;
or (b) propose alternative actions the CCI Director believes will not correct the audit-identified
problems. To process a nonoccurrence, the CCI Director must:
(a) Make every attempt to resolve the disagreements, including discussing the
management comments with the applicable senior management official.
(b) If the CCI Director concludes the management comments are not responsive,
include a statement similar to the following in the evaluation paragraph: “Management
comments are not responsive to the issues raised in the report, and management does not plan to
take action to correct the problems noted (or plans to take actions that will not, in our opinion,
correct the problem).” Rebut the management comments by clearly explaining why management
DeCAM 90-5.1
August 15, 2014
57
comments do not address the issues or are otherwise insufficient, and process the comments as a
nonoccurrence. NOTE: Following the evaluation and rebuttal comments, include the following
statement: “We advised management officials that we must issue the final report that indicates
management’s nonoccurrence with the audit findings, recommendations, and/or PMB (as
applicable).”
(c) However, if the CCI Director determines management is correct in the
nonoccurrence, make the appropriate changes to the report and document the reason in the
working papers. Clearly communicate the points of view of both management and auditors in
the report to assist in resolving the issue.
d. Management Partially Non concurs. When management partially non concurs, advise
management, in writing, of your evaluation and attempt to resolve the differences. If
management elects not to revise their comments, then follow the guidance below.
(1) If management non concurs with the audit results but concurs with the
recommendations (or proposes alternative actions that you believe will correct the deficiency),
evaluate the comments as responsive. Include a statement similar to the following in the
evaluation paragraph: “Although management non concurred with the audit results, management
took (or plans to take) actions which we believe will correct the deficiency.” In these instances,
the audit team must still rebut management’s nonoccurrence with the audit results.
(2) If management concurs with the audit results but non concurs with the
recommendations (and does not propose acceptable alternative actions), evaluate the comments
as nonresponsive. Include a statement similar to the following in the evaluation paragraph:
“Management comments adequately address the audit findings but are not otherwise responsive
to the issues raised in the report, and management does not plan to take action to correct the
problems noted.” The auditor must also rebut management comments.
(3) If management concurs (or partially concurs) with the audit results and
recommendations, but their comments do not adequately address the issues in the report, treat
these comments in the same manner as a nonoccurrence. Include a statement similar to the
following in the evaluation paragraph: “Although management concurred with the audit results
and recommendations, they have not taken (or do not plan to take) action which we believe will
correct the deficiency; therefore, the management comments are not responsive to the issues
raised in the report.” The auditor must rebut management’s nonresponsive comments.
e. Management Non concurs with PMB. The management comments must provide reasons
for a nonoccurrence and include evidence to support the alternate estimate. Instruct management
to reaccomplish comments that do not reflect reasons for non concurring with the PMB.
(1) Full Nonoccurrence. Regardless of actions taken or planned on the audit results and
recommendations, if management non concurs with the existence (not amount) of a PMB,
evaluate the comments pertaining to the PMB as nonresponsive. Include a statement similar to
the following in the evaluation paragraph: “Management comments addressed the issues raised
in the report, and management actions taken or planned should correct the problem. However,
DeCAM 90-5.1
August 15, 2014
58
management disagreed the action taken would result in a PMB. Therefore, the management
comments are not responsive to the monetary benefit identified in the report.” The auditor must
now rebut management comments related to the PMB.
(2) Partial Nonoccurrence - Lesser Amount Specified. If management agrees with the
existence, but not the amount of the PMB, and specifies a specific lesser amount (e.g.,
management agrees with only 3 of 5 line item reductions or a portion of the claimed amount),
evaluate the management comments and explanation as follows:
(a) If the audit team disagrees with management’s reduced PMB, evaluate the
comments as nonresponsive. Evaluate only the amount in dispute (the difference between the
auditor’s estimate and the amount agreed to by management) as a nonoccurrence. Include a
statement similar to the following in the evaluation paragraph: “Management comments
addressed the issues raised in the report, and management action taken or planned should correct
the problem. However, management disagreed the actions taken would achieve the full audit-
estimated PMB. Instead, management estimated a lower PMB of only $x.x million. Therefore,
the management comments are not responsive to $y.y million (the difference) of the monetary
benefit contained in the report.” The auditor must now rebut the management comments.
(b) If the audit team agrees with management’s reduced PMB, evaluate the
management comments as responsive. Show the agreed-to PMB amount in the final report and
indicate audit’s concurrence with the reduced amount in the evaluation comments.
(3) Partial Nonoccurrence - No Amount Specified. If management agrees there will be a
PMB, but does not agree with the amount of the PMB because they cannot determine the actual
amount, evaluate the comments as responsive. Include a statement similar to the following in the
evaluation paragraph: “Management agreed that monetary benefits will accrue, but declined to
state an estimate. Management will validate the amount of actual savings after implementing the
recommendation.” NOTE: Management should “concur in principle” with the PMB rather than
“nonconcur” and provide rationale for their qualification.
f. Management Provides New Information. If management provides new information in
support of a position or to contradict information in the report, the auditor must appropriately
verify the new information. When necessary to provide an objective presentation of facts,
modify the final report to include the new, verified information. NOTE: If significant facts,
omitted from the draft report, become known after issuing the draft for management comments,
the audit team should re-accomplish the finding paragraph and possibly the recommendation and
should resubmit the report to management for comments. Complete cross-referencing and
independent referencing and obtain CCI Director’s approval before submitting the revised report
to management.
g. Inserting the Evaluation of Management Comments in the Report. After the Director
approves the evaluation of management comments, insert the evaluation in the final report.
h. Executive Summary. Add a statement in the management’s response paragraph similar to
the following, at the end of the management’s response paragraph:
DeCAM 90-5.1
August 15, 2014
59
(1) Responsive Comments. “Management officials agreed with the overall results. The
corrective actions taken and planned are responsive to the issues, recommendations, and PMB (if
applicable) included in this report.” NOTE: For clear reports, indicate that management
officials agreed with the results contained in the audit report.
(2) Nonresponsive Comments. “Management comments adequately addressed the issues
discussed regarding front-end opening and closing procedures. However, management
comments were not responsive to the audit results, recommendations, and PMB regarding
coupon handling procedures. See page X for additional details and the audit rebuttal.” In the
rebuttal, do not introduce new facts that were not presented to management in the draft report.
The rebuttal must support the audit results, recommendation, and PMB (if applicable) by stating
the rationale for the auditor’s disagreement with management.
5. Non concurrences. Non concurrences on recommendations and PMB must be resolved. If
the CCI Director and the responsible Senior Executive cannot resolve the non concurrences, the
Chief Operating Officer (COO) or Chief Performance Officer (CPO) will adjudicate.
6. Cover Letter.
a. The cover letter precedes the executive summary and is signed by the CCI Director.
b. The cover letter identifies the addressees of the report as well as the functional area
audited and locations, if applicable.
c. The cover letter will include the following statement regarding government auditing
standards: We conducted this audit IAW generally accepted government auditing
standards.
d. Finally, the cover letter will state the inclusive dates of the audit and identify the primary
audit staff and their contact information.
7. Final Report Processing.
a. Re-referencing. The Deputy Director for Audit will appoint an independent auditor to
verify any significant changes to the final report (differences between the independently
referenced and reviewed draft report and the final report).
b. Report Date. Date the report as of the day you will send it to the addressee.
c. Once finalized and signed, convert the Microsoft Word file to an Adobe portable
document format (.pdf) file by sending the Word file to a .pdf print file.
d. Final Report Distribution. CCIA will distribute final reports via email, in .pdf to DeCA
DeCAM 90-5.1
August 15, 2014
60
Director and CEO, COO, responsible Senior Executives, and CPO. The CCI Director or Deputy
Director for Audit (Supervisory Auditor), IAW DoD Instruction 7600.2, “Audit Policies,” April
27, 2007 (Reference (h)), will update the Agency’s report distribution requirements as necessary.
Ensure reports are posted to DeCA IG, SharePoint.
8. Follow-up Audits.
a. Purpose. Perform follow-up on audit results and recommendations contained in prior
audit reports, to determine whether: (a) management took the recommended actions or
satisfactory alternatives; (b) the actions management took were effective in eliminating the
deficiencies; and (c) management realized the PMB.
b. Scheduling. At the conclusion of each audit, the Deputy Director for Audit (Supervisory
Auditor) will determine whether the report contains significant recommendations meeting the
follow-up criteria discussed below. The Deputy Director for Audit (Supervisory Auditor) will
notify the CCI Director of all recommendations selected for follow-up. The CCI Director will
include reports with recommendations selected for follow-up in the annual plan. Schedule the
audits a minimum of six months after management completes corrective actions and resources
are available.
(1) When it is time to follow-up on the selected recommendations and management has
not closed the recommendations, determine the reason for the delay. If the delay is not
reasonable and management actions are more than six months overdue, the CCI Director will
determine whether to proceed with the follow-up audit. If the delay is reasonable, allow
management more time to complete their actions before proceeding with the follow-up audit.
(2) If management has not completed implementation actions on any recommendation
six months after the agreed-to date (whether or not selected for follow-up), consider following up
to determine reasons for the delay.
c. Criteria. Use the following criteria to select recommendations for follow-up.
(1) Mission-Related Items. Follow-up on audit results that involved deficiencies having
significant impact on the DeCA mission (for example, gain/loss or front-end operations).
(2) Potential Monetary Benefits. Follow up on all audit results that identified a PMB of
$250,000 or more. An objective of the follow-up audit will include verifying the amount of
PMB realized.
(3) Recoupment Actions. Follow-up on all recommendations that involved management
initiating action to recoup funds.
(4) Controls and Fraud. Follow up on all reports that identified significant control
problems or problems safeguarding resources from unauthorized use or disposition.
DeCAM 90-5.1
August 15, 2014
61
(5) Potential Anti-deficiency Act Violations. Follow-up to review the accuracy and
propriety of management actions taken as a result of an audit recommendation to determine
whether a DoD Directive 7200.-1 “Administrative Control of Appropriations,” May 4, 1995,
Certified Current as of November 21, 2003 (Reference (i)), violation has occurred.
(6) Other. Follow-up on other audit results and recommendations that, in the judgment
of the CCI Director, warrant follow-up.
d. Follow-up Log. For audit planning purposes, the CCI Director will maintain a log of
recommendations selected for follow-up. (Appendix K), The audit follow-up log contains a
suggested format. Review the audit follow-up log periodically to identify “open”
recommendations for which the estimated completion date has passed. Contact the applicable
management official to determine the reasons for the slippage and obtain a revised estimated
completion date.
9. Follow-up Audit Reports.
a. Report Attributes. If the follow-up audit discloses the following conditions, take the
action indicated.
(1) Repeat Findings. Identify findings as “repeat” if the current conditions are
substantially the same as that disclosed by the prior audit. Identify findings as “repeat” whether
or not the cause of the current conditions and the recommendations to correct the current
conditions are the same as those in the prior report.
(a) If management either implemented the recommendation or took other corrective
actions, give management credit in the follow-up audit report for taking action, and identify the
reasons management’s actions did not correct the deficiency. Because the finding still exists, the
original report likely did not identify the root cause.
(b) If management did not act on the recommendation or took action other than
indicated in their written response, provide details in the report explaining why management did
not act or why management’s alternative action did not correct the problem.
(2) New Findings. Auditors conduct follow-up audits to determine whether management
corrected the deficiencies cited in earlier reports. Normally, auditors will not develop new
findings in follow-up audits. However, it may occasionally happen that the auditor identifies
new, reportable conditions during the conduct of a follow-up audit. When this happens, the
auditor should prepare one report and clearly differentiate between the repeat and new findings.
NOTE: If the follow-up audit did not identify repeat findings, the auditor should put the clear
follow-up results in the executive summary and the new findings in the report body.
(3) No Findings. If management implemented the recommendations or took other
responsive actions that corrected the deficiencies, and the auditor identified no additional
findings related to the follow-up issues, issue a clear report.
DeCAM 90-5.1
August 15, 2014
62
b. Follow-up Report Format. Except as noted in the following paragraphs, use the same
format for a follow-up report as for a regular report.
(1) Report Title. Begin the report title with “Follow-up Audit, . . .”
(2) Executive Summary.
(a) Introduction. The first paragraph must identify what initiated the follow-up audit
and reference the prior report (cite report number, title, and date). For example, “This follow-up
audit evaluated management actions taken in response to Audit Report XXXXXXXX, (title),
(date).”
(b) Objectives. Identify the recommendations in the original audit report selected for
follow-up. For example, “The overall objective was to determine whether management actions
implemented in response to Recommendations 1, 2, and 5 in Audit Report XXXXXXXX were
effective and corrected the conditions previously reported. In addition, we verified the actual
amount of monetary benefits realized as a result of the previous audit.”
(c) Results. For the recommendations followed-up on, the results paragraph must
summarize all deficiencies corrected by management. Also, auditors must clearly identify any
repeat deficiencies as “repeat findings” and reference the appropriate audit results (finding)
paragraphs of the prior audit report. Identify any benefits (monetary or non-monetary) lost
because management did not act or took action that was not adequate to correct the problem.
(3) Prior Audit Coverage. In the prior audit coverage section of the general audit
information appendix, include a statement similar to the following: “Other than the report which
was the subject of this follow-up audit, our review of audit files and contact with base officials
disclosed no other audit report issued to the (audit entity/function) by any audit agency within
the last 5-years that related to these same audit objectives.”
c. PMB in Follow-up Reports. Do not report PMB that is related to a repeat finding.
Auditors can claim and report PMB only one time for each finding because follow-up officials
credit the prior report and recommendation with all PMB achieved. The only time an auditor can
report a PMB of a follow-up audit report is when the PMB is part of a new finding and
recommendation not previously reported.
DeCAM 90-5.1
August 15, 2014
63
APPENDIX A
INDEPENDENCE STATEMENT
Auditor Independence Declaration
Generally Accepted Government Auditing Standards, paragraph 3.02 (GAO-012-331G), Reference (e)
states “In all matters relating to the audit work, the audit organization and individual auditor, whether
government or public, must be independent.”
Examples of Personal Impairments. Factors may affect an auditor’s independence in regards to the
audited activity. Some of these factors are:
• Immediate family or close family member who is a director or officer of the audited entity, or, as an
employee of the audited entity, is in a position to exert direct and significant influence over the
entity or the program under audit.
• Concurrent or subsequent performance of an audit by the same individual who maintained official
accounting records when such services involved preparing source documents; posting transactions;
authorizing, executing or consummating transactions; maintaining an entity’s bank account or
otherwise having custody of the entity’s funds; or otherwise exercising authority on behalf of the
entity, or having authority to do so.
• A financial interest that is direct, or is significant/material although indirect, in the audited entity or
program.
• Responsibility for managing an entity or making decisions that could affect operations of the entity
or program being audited.
• Responsibility for managing an entity or making decisions that could affect operations of the entity
or program being audited.
• Preconceived ideas toward individuals, groups, organizations or objectives of the audit entity or
program that could bias the audit.
• Biases, including those resulting from political, ideological, or social convictions that result from
membership or employment in, or loyalty to, a particular group, or level of government.
• Seeking employment during the conduct of the audit with an audited organization.
In addition to these personal impairments, an auditor should not:
• Review work the auditor performed.
• Review work of a previous supervisor or co-worker with whom the auditor has either a close
personal relationship or unfriendly working relationship.
• Seek employment with the audited organization during the audit.
DeCAM 90-5.1
August 15, 2014
64
Examples of External and Organization Impairments. In addition to personal impairments, other
factors may restrict audit work or interfere with an auditor’s ability to form independent and objective
opinions and conclusions. These factors include:
• Interference or influence that improperly limits the scope of an audit (that is interference with the
selection or application of audit procedures or in the selection of transactions to be examined).
• Unreasonable restrictions on the time to complete the audit.
• Authority to overrule or influence the auditor’s judgment as to the appropriate content of the audit
report.
• Influence that jeopardizes the auditor’s continued employment for reasons other than competency
or the need for audit services.
(__) I have read, understand and will comply with Chapter 3: “General Standards,” of the
Government Auditing Standards (the Yellow Book), Reference (e) pertaining to personal and external
impairments of independence.
(__) I have no personal impairments and am not aware of any external impairments to independence
as defined in the Government Auditing Standards. I will notify my supervisor immediately if I become
aware of the potential existence of any actual or perceived personal or external impairment on my part or
a co-worker’s part between (insert dates). –or–
(__) I believe I cannot be independent or impartial on audit assignments for the following potential
personal or external/organizational impairments:
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Printed Name____________________________________________
Signature _______________________________________________ Date______________________
(__) I have reviewed this certification and agree that it appears no personal or external/organizational
impairments to independence exist.
(__) I have reviewed the potential impairment to independence and have taken the following action(s):
_____________________________________________________________________________________
_____________________________________________________________________________________
Supervisor’s Signature_____________________________________ Date______________________
DeCAM 90-5.1
August 15, 2014
65
APPENDIX B
NONAUDIT SERVICE STATEMENT
This nonaudit service by DeCA’s Internal Audit Division was requested in support of:
_______ DeCA Senior Management Audit Request
_______ DeCA Office of General Counsel Request
_______ DeCA Inspector General Investigation Audit Support
_______ Other DeCA Requested support from:___________________
The work performed was not conducted in accordance with Generally Accepted Government
Auditing Standards (GAGAS). The auditor has reviewed GASGAS 2.12 – 2.13 and 3.33 – 3.58
and identified the possible threats to the independence of the internal audit office by performing
this service. We determined:
A) _____There were no threats to the independence of the auditor or the office of internal
audit by performing this nonaudit service.
B) _____There were possible threats to the independence of the auditor or the office of
internal audit by performing this nonaudit service. We identified the threats and took steps to
mitigate their impact. (Prepare work paper listing threats and mitigation steps.)
C) _____There were serious threats to the independence of the audit or the office of internal
audit. As a result the nonaudit service was terminated to protect the independence of the
auditor or the office of internal audit. (Prepare work paper listing threats and reasons to
terminate the audit.)
DeCAM 90-5.1
August 15, 2014
66
APPENDIX C
TEAMMATE SUITE
TeamMate is a suite of products combining both desktop and web-based technologies. The
combined suit allows auditors to identify, schedule, document, report and track time and
expenses on audits using a modular approach. It is located on each assigned auditor’s hard drive
through access of TeamMate database which is stored on DeCA’s Information Technology
servers. The following is a list of applications that comprise the TeamMate suite.
TeamMate Electronic Working Papers (EWP) is CCIA’s automated application that allows
auditors to complete all phases of the audit documentation and review processes. TeamMate
Version 9.1.1 is the current software used within CCIA. Upgrades to Version 10. within the near
future.
TeamStore is a desktop application used in conjunction with EWP, which allows maintenance of
knowledge base.
TeamImage is a desktop application used in conjunction with EWP to integrate imaging.
TeamRisk is a desktop application allowing risk assessment on the audit universe to determine
what to audit based on risk. TeamRisk Web, is a web application that allows business-owners
and distributes auditors to contribute to the risk assessment process.
TeamSchedule is a desktop application that allows schedulers to schedule projects and assign
resources. TeamSchedule Web, allows team to view reports on the status of projects and
exceptions across audits.
TeamMate Time and Expense Capture is a web application that allows users to enter time and
expenses to a project. TeamCentral allows teams to view reports on the status of projects and
exceptions across audits.
TeamAdmin is a desktop application that allows TeamMate Administrators to perform various
functions on the centralized database included in a separate installation.
A database server supported by DeCA’s Information Technology Division at Headquarters
DeCA, is required for the TeamMate web application.
TeamMate Explorer is the name of the screen that opens when you launch TeamMate. There are
eleven function buttons in TeamMate Explore. Launching TeamMate Explorer allows access to
the library where a new audit project file can be initiated or started. The library contains
information such as planning and reporting steps and terminology definitions.
DeCAM 90-5.1
August 15, 2014
67
DeCA’s Internal Audit personnel responsible for setting up a new audit project file can consist of
the CCI Director, Deputy Director for Audit (Supervisory Auditor), the administrative assistant,
or the lead auditor within the Internal Audit Division. The following steps are required to setup a
new audit project in TeamMate EWP Explorer window:
1. Setup basic information about the audit project
2. Select a library for the audit
3. Setup administration information
4. Setup audit team
5. Setup profile information about the audit
6. Initialize audit project
Upon completion of the above steps, the responsible person must check the box “Field Work,”
and (initialize the project) in order for working papers or supporting documents to be entered and
signed off in TeamMate.
Team members assigned to an audit project will be assigned roles on access levels, such as:
Read Only - allows the auditor to only view the audit files. They cannot make any
changes to them.
PreparerOnly - allows the auditor to create programs, document work, add work papers,
and sign-off on steps.
Preparer/Reviewer - allows the independent referencer, lead auditor, Deputy Director for
Audit (Supervisory Auditor), or CCI Director to review work performed by other auditors
under their supervision or salary grade.
Project Owner - this role combines the preparer/reviewer role and has the ability to
change passwords within the project. This role is performed by the administrative
assistant, or lead auditor, if required.
The status of the working papers includes:
Yellow Triangle -- In Progress
Green Sphere -- Ready for Review (Prepared)
Blue Square -- Reviewed*
RedFlag -- Edited After Review
Maroon Triangle -- Conflict with Another Schedule
*All documentation prepared or entered into TeamMate will be reviewed and signed off
(indicated with a Blue Square status) prior to DeCA’s Internal Audit Division issuing and
distributing the final audit report.
DeCAM 90-5.1
August 15, 2014
68
The following folders and steps are contained in the TeamMate Performance Library for use
throughout the project.
PA: Planning and Administration
PA1: Administration
PA2: Audit Coordination and Announcement Letter
PA3: Statement(s) of Independence
PA4: Audit Checklist
AS: Audit Summary (Report Processing)
AS1: Current Exceptions
AS2: Draft Reports (working)
AS3: Official Draft Report
AS4: Independent Referencer Review
AS4: Final Report (All versions)
PG: Program Groups
A: Planning -- this folder contains GAGAS and Audit Handbook required steps. If they
are not completed, a justification should be documented in the folder. This folder is
also used for adding criteria.
B: Audit Execution -- this folder contains GAGAS and Audit Handbook required steps.
C-Z: Audit Execution -- Used for additional audit steps, as needed.
All working papers in TeamMate will address purpose, source, criteria, scope/methodology,
results (work performed) and conclusion. All supporting documentation will be attached or
referenced to a working paper associated with a program step in TeamMate. All supporting
documentation should be attached to program steps on the browser.
All questions or suggestions pertaining to the TeamMate Suite should be addressed to the Office
of Inspector General, CCIA's TeamMate Champion.
DeCAM 90-5.1
August 15, 2014
69
APPENDIX D
AUDIT NEEDS
Date:
Subject Title:
DeCA Functional Area
Contacts (Name) Position Office Symbol Phone
Background:
Overall Objective:
Sub objectives 1.
2.
3.
4.
Potential Audit Results 1.
(Condition/Impact) 2.
3.
4.
Suggested Approach:
Best Time To Apply:
Audit Priority: Urgent Routine Low
Estimated Audit-Hours:
Estimated PMB Amount:
Auditor:
Reviewer:
DeCAM 90-5.1
August 15, 2014
70
APPENDIX E
RISK-BASED PLANNING FACTORS
E2.1. Mission/Goals (20) (NOTE: number in parentheses is the risk criteria weighting
factor.)
a. Definition. Importance of the audit subject to the mission statement or goals of the audit
entity.
(5) High - Significant impact
(3) Medium - Moderate impact
(1) Low - Minimal impact
(0) N/A
b. Comment. Risk increases as projects directly impact the DeCA mission. For example,
direct impact audits of sales, front-end operations, and customer service would receive high
ratings. Indirect impact audits of these areas would receive medium ratings. Audits that have
low impact on the organization’s mission would receive lower ratings.
E2.2. Fraud, Waste, or Abuse (15)
a. Definition. Vulnerability of the audit subject to fraud, waste, and abuse.
(5) High - Very vulnerable
(3) Medium - Moderately vulnerable
(1) Low - Minimally vulnerable
(0) N/A
b. Comment. Risk increases when government assets can be easily converted to personal
gain or use. For example, assets convertible to personal use include: cash and cash-related
instruments, as well as assets that could be sold easily or used within a home or other non-work
environment. Also, an organization’s risk increases with increased disbursing/purchasing
authority. For example, audits involving significant quantities of cash or credit card purchases,
voucher and invoice payments, military or civilian pay, or large quantities of personal computers
or vehicle parts would receive high ratings. Audits involving smaller quantities of convertible
assets or budgets would receive medium to low ratings. Audits involving no convertible assets
would receive no rating.
E2.3. Management-Suggested Subjects (11)
a. Definition. DeCA officials requested/suggested the audit subject.
(5) Yes
(0) No
DeCAM 90-5.1
August 15, 2014
71
b. Comment. If management requested/suggested the subject, it receives a “5” rating. If
the subject was obtained from any other source, it receives a “0” rating.
E2.4. Resources (15)
a. Definition. The audit subject’s dollar value of transactions, number of people involved,
asset value, etc.
(5) High - More than 5 percent of the audit entity’s resources (e.g., budget, personnel,
assets, and transactions)
(3) Medium - Between 1 and 5 percent of the audit entity’s resources
(1) Low - Less than 1 percent of the audit entity’s resources
(0) N/A
b. Comment. Resources used should be those needed to accomplish the mission (buy and
sell groceries) without consideration of the value of the actual groceries. Resources to consider
include high-value equipment assets, computer equipment, vehicles, personnel costs, operations
and maintenance budget, etc. For example, an audit of front-end department operations would
not necessarily consider the value of the cash and other media on hand, but rather the impact on
selling groceries and protecting government resources. The audit would also consider the value
of equipment, tools, personnel, and other resources used to manage front-end operations. Most,
but not all, audit subjects will score low to medium in the resources area as they relate to
resources for the audit entity. This is corrected through use of the subject’s entire risk
assessment score as it is impacted by other risk criteria such as mission/goals or management
suggestions. One example of a subject that could score high in the resources area is contracts
that cost more than 5 percent of the DeCA O&M funds and use large quantities of time and
personnel to oversee contract operations.
E2.5. Public Criticism (7)
a. Definition. Sensitivity of the audit subject to adverse public opinion or criticism.
(5) High - Congress, DoD, or DeCA very concerned
(3) Medium - Congress, DoD, or DeCA moderately concerned
(1) Low - Congress, DoD, or DeCA minimally concerned
(0) N/A
b. Comment. Examples of audits where DeCA would be very concerned about public
criticism include environmental, acquisition/purchasing, and personnel cutback projects.
Conversely, audits of basic support functions usually create little concern. However, any audit
that identifies potentially fraudulent conditions can also result in heavy public criticism.
E2.6. Public Law (7)
a. Definition. Audit subject impacted by public law.
DeCAM 90-5.1
August 15, 2014
72
(5) Yes
(0) No
b. Comment. If an audit subject pertains to Federal, state, or local laws, the subject receives
a 5 rating. If the subject does not pertain to Federal, state, or local laws, it receives a 0 rating.
Examples of subjects impacted by public laws are environmental, medical, personnel
management, and injury compensation.
E2.7. Internal Controls (10)
a. Definition. Internal controls to protect government interests and assets and promote the
accuracy of reported financial results.
(5) High - Limited or non-existent controls
(3) Medium - Adequate controls or no basis for assessment
(1) Low -Significant internal controls
b. Comment. This risk criterion is based on the DeCA CCI Director’s experience with the
subject and knowledge of past internal control program and other internal control reviews.
E2.8. Prior Audit Coverage (6)
a. Definition. Amount of time since last audit.
(5) High - More than 5 years
(3) Medium - More than 2, but less than 5 years
(1) Low - Less than 2 years
b. Comment. Time since last audit by DeCA CCIA; GAO; DoDIG; or public accountant.
E2.9. Mission Changes (9)
a. Definition. Changes in audit entity’s mission, products/services, personnel, systems, or
financial results.
(5) High - Changes are dynamic and far-reaching to the audit entity
(3) Medium - Changes are dynamic and impact a particular organization
(1) Low - Changes have minimal impact
(0) N/A
b. Comment. High-risk examples include store closures or major funding changes affecting
the entire audit entity. Medium risk examples include the contracting out of selected functions
such as deli operations. Low risk examples include small changes in personnel, funding, or other
requirements.
E2.10. Manager Override
DeCAM 90-5.1
August 15, 2014
73
a. Definition. CCI Director overrules the calculated priority score and declares this an audit
of higher or lower priority.
b. Comment. Low scoring projects may move up in priority to balance the annual plan or
simply because of CCI Director judgment. However, the CCI Director must justify the increased
priority. High scoring projects may move down in priority to balance the annual plan because of
CCI Director judgment, or because of some limiting factor. Limiting factors include personnel,
experience, cost, etc. Again, however, the CCI Director must justify the decreased priority.
Risk-Based Planning Model
SUBJECT
Mission/
Goals
Fraud,
Waste,
Abuse
Mgt Sugg
Subject Resources
Public
Criticism
Public
Law
Mgt
Controls
Prior
Audit Cov
Mission
ChangeFactor
Weights> 20 15 11 15 7 7 10 6 9Factor
Points> 5,3,1,0 5,3,1,0 5,0 5,3,1,0 5,3,1,0 5,0 5,3,1 5,3,1 5,3,1,0
ZonePricing 60 15 55 15 21 35 30 30 9 270
TDY Costs 60 15 0 45 35 35 10 6 0 206
GPC 60 45 0 45 35 35 30 18 9 277
Subj 04> 0
Subj 05> 0
Subj 06> 0
Subj 07> 0
Subj 08> 0
Subj 09> 0
Subj 10> 0
RISK ASSESSMENT FACTORS
Risk
Assess-
ment
Score Override
DeCAM 90-5.1
August 15, 2014
74
APPENDIX F
AUDIT PLANNING PROGRAM
1. This audit planning program provides guidance for planning all audits. The work performed
in accomplishing these audit steps are required to be documented in TeamMate EWPs.
a. The Deputy Director for Audit (Supervisory Auditor), lead auditor, and auditor should
have frequent progress meetings throughout audit planning.
b. For follow-up audits, auditors should accomplish steps 1 and 2 from the planning
program, as well as any other steps the Deputy Director for Audit (Supervisory Auditor) deems
appropriate, before beginning audit execution.
2. All steps in the audit planning program, except step 9, are mandatory in conducting normal
audits. Where possible, the auditor should hyperlink planning program steps to supporting
documents that explain the audit rationale. The auditor should obtain supervisory approval for
optional steps not accomplished. No explanation is required. Steps are not necessarily
performed in the sequence listed in this guidance.
3. With the supervisor’s approval, and to preclude the start of audit execution, the auditor may
defer accomplishing some planning-steps (e.g., program magnitude may not be readily available,
or metric data may take time to compile) to audit execution. However, the auditor should not
defer so many steps that he or she cannot properly design the audit. Further, the auditor should
explain the rationale for deferring steps. In addition, the auditor should later link the planning
step to the work accomplished during audit execution.
4. The actual amount of planning work accomplished will vary from audit to audit and depend
mainly on the audit team’s familiarity with the subject area and understanding of the control
environment. If for example, the audit team has previously accomplished the same audit at
another location, then the prior work can be used in planning for the current audit. In this case,
the planning work would largely consist of updating the planning program with the information
applicable to the new location/organization and bringing information forward from the prior
audit’s results to the current audit’s planning program (by cutting and pasting or hyperlinking).
Step
No. Description and Response
1 Audit Announcement Memorandum. Prepare the audit announcement
memorandum/ email following the guidance. Ensure all audit notifications are sent
through Task Management to the applicable Senior Executives and/or Directors,
and a copy of the announcement is furnished to the DoDIG.
DeCAM 90-5.1
August 15, 2014
75
2 Entrance Conference. Conduct the audit entrance conference (paragraph 3.4.b.2).
Inform local management officials of the audit objective, scope, and estimated time
frame of the audit and assure there are no scheduling conflicts. Ask management
to identify any areas they would like addressed during the audit and discuss
suggested audit approaches.
3 Preliminary Research. Preliminary research is accomplished to familiarize the
auditor with the subject matter of the audit.
3a Obtain from the CCI Director or Deputy Director for Audit Supervisory Auditor),
any preliminary research data gathered in support of subject identification.
3b Identify applicable directives. Search the DeCA electronic publications library and
consult DoD and/or GAO applicable guidance. Download and review applicable
directives to determine key processes and terminology.
3c Identify, obtain, and review any supplemental criteria used by the activity, such as
standard operating instructions.
3d Flowchart the process of the subject matter being audited. Make sure to identify
control points.
4 Prior Audit Coverage. Determine if there have been any prior audits (DeCA,
DoDIG, or GAO) with similar objectives accomplished in the past 5 years
involving the audit subject. Government auditing standards require auditors to
follow-up on significant findings and recommendations from previous audits to
determine if management took timely and appropriate corrective actions.
4a Review the prior audit reports and identify findings and recommendations that
relate closely to the current audit’s objectives. Determine if any problems
identified in the prior reports are applicable to the scope/objectives of the current
audit. If so, include steps in the audit program to determine whether management
effectively implemented the recommendations and the actions management took
corrected the problems identified.
5 Basic Information of the Audited Function. Information gathered in this series
is needed to build the audit framework as well as to support the introduction
paragraph(s) of the audit report. Basic information is obtained through discussion
with management and review of available records.
5a Identify the primary/subordinate mission of the audited function/organization.
What is the audited organization’s or programs primary purpose?
5b Identify the magnitude of resources (in terms of funding, material, personnel etc.)
that are put into the program.
5c Identify key personnel and define their areas of authority and responsibility.
5d Discuss with key personnel how the process/program works/operates/functions and
flowchart as appropriate.
DeCAM 90-5.1
August 15, 2014
76
6 Metrics. Metrics, also called performance measures, are the objective standards or
goals that managers use to assess performance. Success in achieving the
established metrics is a prime indicator of the organization’s effectiveness.
Through discussion with management officials, determine what measures or
indicators they use, if any, to measure how well the audited activity is
accomplishing its mission. If management has established metrics for the audited
activity, obtain and review the latest data/reports. NOTE: Consider including steps
in the audit program to determine the validity of the metrics (i.e., to determine if
the metrics were computed correctly and reported accurately). If no metrics exist,
should management have indicators to measure productivity, service, or mission
effectiveness?
7 Internal Controls. Government auditing standards and DeCA CCIA policies and
procedures require auditors to review controls in every audit. At a minimum,
auditors will identify the key controls in the planning phase and form a preliminary
assessment of their effectiveness through limited testing. Consider the
effectiveness of controls in determining the need to continue the audit and as
possible causes for the conditions noted. Examples of key controls to review: a.
Controls over information processing. b. Physical control over vulnerable assets.
c. Segregation of duties. d. Proper execution of transactions and events. e.
Accurate and timely recording of transactions and events. f. Access restrictions to
and accountability for resources and records. g. Appropriate documentation of
transactions. h. Management review and oversight. NOTE: When performing
internal control review steps, the auditor should ensure all associated risks are
properly mitigated through tests of internal controls. Consequently, auditors (with
assistance of the supervisor) may need to add additional internal control review
steps to those listed below to adequately assess internal controls for the subject
area. For additional information, see GAO-01-1008G, Internal Control
Management and Evaluation Tool (http://www.gao.gov/new.items/d011008g.pdf).
7a Through discussions with operating personnel and review of applicable DeCA
directives and standard operating procedures, identify the significant controls
management has implemented to account for and protect assets, ensure accurate
reporting, and accomplish the function’s mission. Flowchart the control processes
using automated, manual, or narrative means.
7b To gain a better understanding and verify the processes identified in step 7a, select
a few sample transactions and trace them through the process to determine if the
identified controls have been effectively implemented and are consistently applied.
7c Based on information gathered to date, have prescribed controls been implemented
and do they appear to be effective? Provide your rationale. NOTE: In the audit
program you will design tests to accomplish further testing in areas where controls
appear weak or noncompliance is suspected.
DeCAM 90-5.1
August 15, 2014
77
8 Risk of Fraud. Government auditing standards require auditors to design audits to
provide reasonable assurance of detecting fraud, illegal acts, or violations of
provisions of contracts or grants that could have a material effect on the subject
matter. The auditor should be alert to situations that could indicate fraud,
especially when auditing areas with high potential for errors, irregularities, and
illegal acts (areas involving cash, valuable and or highly pilferable assets,
contractual issues, etc.). The amount of effort expended should be commensurate
with the materiality and risk associated with the subject matter. If control
problems are noted in step 7 (e.g., non-compliance and lack of oversight) and the
audit area has high potential for fraud, consider the risk of fraud to be high.
8a Identify and list any areas of potential fraud. Examples of potential fraud
indicators to review, if applicable to audit: a. Duplicate payments/invoices. b.
Missing/altered documentation. c. Inventory shortages/adjustments. d. Weak
controls. e. Excessive parts replacement. f. Unauthorized computer access. g.
Net income losses. h. Excessive coupons processed. i. Suspended and
resumed/not resumed transactions. j. Tender type substitutions.
8b Based on your planning work, do you consider the subject area to have high,
medium, or low risk for fraud and other illegal acts? Explain your conclusion. If
yes, include steps in the audit program to provide reasonable assurance of detecting
fraud or illegal acts.
9 Computer-Generated Data. From information gathered to date, identify any
computer systems used and computer-generated data and reports that you will rely
on to accomplish the audit and that will later support your audit conclusions.
NOTE: Additional computer-generated data may be identified during audit. Also,
computer-generated data should be tested during the audit execution if
CliftonLarsonAllen LLP (CLA) assessment is not applicable. Step 9 includes
results data regarding the liability of most computer-generated data you will use
during your audits. As such, consider this requirement completed unless you rely
on data from a non-financial system that does not feed into any of the systems
mentioned.
9a As part of the Fiscal Year 2012 audit of the DeCA financial statements, CLA LLP
auditors performed a review of information technology general and application
controls over the following key DeCA systems that support financial transactions
and reporting:
DeCA Interactive Business System (DIBS)
Electronic Data Interchange (EDI)
Standard Automated Voucher Examination System (SAVES)
Accounting and Inventory Management System (AIMS)
According to the CLA auditors, the general and application controls associated
with DeCA financial and financial-related systems continue to need improvement.
However, these reportable conditions are not believed to be material weaknesses.
As such, we relied on computer-generated data from the CARTS (for example)
DeCAM 90-5.1
August 15, 2014
78
system that feeds data to the AIMS and SAVES, to support audit findings and
conclusions. {Example}
10 (CAATTs). Consider and document any CAATTs that you may be able to use
during the audit.
11 Sampling. Consider and document what, if any, data can be used for statistical
sampling and whether the data can be used to project for PMB purposes.
12 Potential Findings. Perform additional testing as needed and appropriate to
identify potential problems and their causes and impact. At this point, the Deputy
Direct for Audit (Supervisory Auditor) and auditor should determine the types and
quantity of additional testing that are needed.
13 Audit Decision. Based on the planning work accomplished, determine whether to
continue the audit. Prepare a working paper summarizing the planning findings
and conclusions and providing rationale for: (a) continuing the audit, (b)
terminating the audit and issuing a report, or (c) terminating the audit without a
report. NOTE: A formal audit decision is not required for requested audits.
However, the auditor should still prepare a working paper summarizing the
planning results.
14 Prepare Audit Program. When planning results in a ‘go’ decision, use the
guidance in (chapter 3, paragraph 8) to develop the audit program. Include a series
of steps to answer each objective.
DeCAM 90-5.1
August 15, 2014
79
APPENDIX G
ENTRANCE CONFERENCE SLIDES
DeCAM 90-5.1
August 15, 2014
80
DeCAM 90-5.1
August 15, 2014
81
Points of Contact
Internal Audit points-of Contact:
- Director/Inspector General
- Deputy Director for Audit
- Auditor
DeCAM 90-5.1
August 15, 2014
82
APPENDIX H
COMPUTER-GENERATED DATA RELIABILITY REPORTING
The following examples address different scenarios regarding the use and reliability of
computer-generated data obtained during audits. When writing the “Extent of Coverage”
paragraph, auditors should use one of the following examples, or a customized variation thereof,
to describe their assessment of the computer-generated data.
A2.1. Background Information Only. We extensively relied on computer-generated data
contained in the Standard Base Supply System. We used the data for informational purposes
only.
A2.2. Reliable Data -- Review of System Controls and Other Data Tests. We extensively
relied on computer-generated data contained in the Standard Base Supply System. We assessed
the reliability of data, including relevant general and application controls, and found them
adequate. To establish data reliability, we compared output data to manual documents to
validate data accuracy; reviewed output products for obvious errors, reasonableness, and
completeness; recalculated totals to verify math operations; and tested the system’s edit checks
to validate the rejection of erroneous data. Based on these tests, we concluded that the data were
reliable in meeting the audit objective.
A2.3. Reliable Data -- Data Tests Only. We extensively relied on computer-generated data
contained in the Standard Base Supply System. To establish data reliability, we compared output
data to manual documents to validate data accuracy; reviewed output products for obvious errors,
reasonableness, and completeness; and recalculated totals to verify math operations. Based on
these tests, we concluded that the data were reliable in meeting the audit objective.
A2.4. Unreliable But Usable Data. We extensively relied on computer-generated data
contained in the Standard Base Supply System. The results of data tests comparing output data
to manual documents to validate data accuracy; reviewing output products for obvious errors,
reasonableness, and completeness; and recalculating totals to verify math operations showed an
error rate that casts doubt on the data’s validity. However, we believe the opinions, conclusions,
and recommendations in this report are valid when viewed with other available evidence.
A2.5. Unreliable and Unusable Data. We extensively relied on computer-generated data
contained in the Standard Base Supply System. However, the results of data tests showed an
error rate that cast doubt on the data’s validity. Since the audit objectives required specific
statements based on this data and sufficient and appropriate independent evidence was not
available, we were unable to provide specific projections, conclusions, or recommendations.
A2.6. Reliability Not Determined -- No Material Impact on Audit Results. In most material
aspects, we accomplished the audit IAW generally accepted government auditing standards. We
did not follow certain aspects of the evidence standard. Specifically, we extensively relied on
computer-generated data contained in the Standard Base Supply System without conducting tests
to confirm the data’s reliability. We did not establish the data’s reliability because (state
DeCAM 90-5.1
August 15, 2014
83
reasons). In our opinion, however, not following that standard had no material effect on the
audit results.
A2.7. Reliability Not Determined -- Material Impact on Audit Results. In most material
aspects, we accomplished the audit IAW generally accepted government auditing standards. We
did not follow certain aspects of the evidence standard. Specifically, we extensively relied on
computer-generated data contained in the Standard Base Supply System without conducting tests
to confirm the data’s reliability. We did not establish the data’s reliability because (state
reasons). In our opinion, not making the evaluation had (state known impact on audit results).
DeCAM 90-5.1
August 15, 2014
84
APPENDIX I
REPORT OF AUDIT
INDEPENDENT REFERENCE REVIEWER (IRR) CHECKLIST
REFERENCER:
DATE COMPLETE: REPORT NO: DeCA CCIAXX- XX
EXECUTIVE SUMMARY YES NO NA
Introduction
Are all dollars, numbers, dates, regulation cites, and other
facts accurate and supported in the working papers?
Objectives
Are the objectives clearly stated and do they match the objectives
in the audit announcement memorandum/email?
Results
Are all conclusions (including positive statements) supported in
the working papers?
AUDIT RESULTS
Background
Is the background information (all dollars, numbers, dates, and
regulation cites), if any, accurate and supported in the working
papers?
Condition and Support
Are all figures, statements of fact, schedules, tables, graphs,
examples, and management corrective actions accurate and
supported in the working papers?
Cause
Is the cause supported in the working papers? For example, the
working papers must specifically support a cause that the Store
Director did not monitor coupon processing.
Impact
Are all figures accurate and supported in the working papers?
DeCAM 90-5.1
August 15, 2014
85
YES NO NA
Recommendations
Are all regulations cites, if any, accurate and supported in the
working papers?
AUDIT SCOPE AND METHODOLOGY
Are the following accurate and supported in the working papers:
Background?
Criteria?
Audit scope information, including titles and time periods of
documents reviewed, sampling methodology, CAATTs
procedures, etc.?
Tests of internal controls?
Statement regarding reliability of computer processed data?
Prior audit coverage?
Out-conference discussions with management?
NOTES TO INDEPENDENT REFERENCE REVIEWER:
1. Place TeamMate tick marks or initials in the working papers next to the supporting evidence
and in the report next to the information referenced.
2. There may be information in the report that requires independent referencing that the auditor
did not hyperlink (cross reference) to supporting files. When that happens, return the working
papers to the auditor and ask him or her to complete the hyperlinks.
3. Document and explain all “No” answers in TeamMate coaching notes.
DeCAM 90-5.1
August 15, 2014
86
APPENDIX J
AUDIT REPORT REVIEWER CHECKLIST
Project No.:
Report No.:
YES NO
1. Executive Summary
a. Introduction
(1) Are mission and responsibilities of the audit
entity described?
(2) Are perspective/magnitude data provided
(quantities of dollars, assets, people, etc.)?
(3) If a request audit, is this fact noted in the
introduction?
b. Objectives
(1) Do the objectives in the report agree with the
objectives that were announced to management
at the start of the audit and with the objectives
stated in the program?
c. Results
(1) Does the results section state the overall
condition and any positive conclusions?
(2) Does each results paragraph briefly summarize
the condition and impact (but not the cause)?
(3) Are the results paragraphs presented in the same
order as discussed in the objectives paragraph?
(4) For each results paragraph, is the reader referred
to where the discussion is located in the report?
d. Recommendations
(1) Does the recommendation paragraph indicate the
number of recommendations and the general
nature of the recommendations?
(2) Does the recommendation paragraph refer the
reader to where the recommendations are located
in the report?
DeCAM 90-5.1
August 15, 2014
87
e. Management’s Response
(1) (Draft Report) Is “MANAGEMENT
COMMENTS” inserted after the executive
summary recommendations paragraph and left
blank in the draft report?
(2) (Final Report) Is a statement inserted in the
management comments paragraph of the final
report indicating whether or not management
concurred with the findings and
recommendations and if the actions planned or
already completed are responsive to the issues
and recommendations included in the report?
2. Contents Page
a. Do the results sections and appendix title(s) agree
with those used in report?
b. Are the page numbers accurate?
3. Results Sections
a. Background
(1) Does the background paragraph identify the
criteria used to evaluate conditions discussed?
(2) Does the background paragraph describe mission
and magnitude of operations for the activities
discussed (normally without repeating
information provided in the Executive
Summary)?
(3) Does the report provide additional information
the reader needs to understand the issues
discussed in the finding (but not unneeded
extraneous information)?
b. Audit Results
(1) Condition
(a) Do finding paragraphs include clearly
discernible condition, cause, and impact
statements?
(b) Does the topic/charge sentence (condition
statement) describe the problem in active
voice?
DeCAM 90-5.1
August 15, 2014
88
(c) Where possible, did the auditor use
examples to clarify and reinforce the
condition?
(d) Are numbers rounded off to enhance clarity
of presentation?
(e) Are locations where deficiencies were found
identified in the finding?
(f) If PMBs are identified, are the dollar
amounts clearly and accurately presented?
(g) Is vague or imprecise terminology
eliminated (e.g., some, not many, not
always)?
(2) Cause
(a) Do audit results (finding) paragraphs contain
clearly discernible cause statements which
describe why the condition occurred?
(b) Are the causes cited the "root" causes and
not subjective reasons (e.g., lack of
awareness, misinterpretation of guidance,
beliefs, etc.)?
(c) Is it clear the conditions could have occurred
as a result of the cited causes?
(3) Impact
(a) Does impact describe the effect of the
problem and illustrate how serious the
problem is?
(b) Is the relationship between the condition
statement and the impact clear and readily
discernible?
(c) If the impact is based on projections, did the
auditor use statistical sampling (versus
judgmental sampling)?
(4) Recommendations
(a) Is a recommendation provided for each
cause cited in the results paragraph?
DeCAM 90-5.1
August 15, 2014
89
(b) Is a recommendation provided, when
appropriate, to correct the deficient condition
(e.g., recoup lost assets, establish an account
receivable)?
(c) For each recommendation, is there a related
condition or cause?
(d) Are recommendations for specific action,
avoiding such words as verify, consider,
study, emphasize, and evaluate.
(5) Management Comments
(a) (Draft Report) At the end of the Results
section, does the draft report reserve space
for the management comments paragraph?
(b) (Final Report) Do management comments
clearly track/relate to the recommendations
and applicable finding?
(c) (Final Report) Do the comments clearly
indicate management's concurrence or
nonoccurrence with finding,
recommendation, and potential monetary
benefit?
(d) (Final Report) Were errors in grammar,
spelling, or punctuation corrected?
(e) (Final Report) Is an estimated completion
date provided for each agreed-to action?
(6) Evaluation of Management Comments
(a) (Draft Report) At the end of the Results
section, is a space reserved for the audit
evaluation statement concerning manage-
mint action or planned actions?
(b) (Final Report) Does the audit evaluation of
management comments clearly state whether
management's actions are responsive?
(c) (Final Report) Does the evaluation exclude
new facts not previously included in the
report?
DeCAM 90-5.1
August 15, 2014
90
(d) (Final Report) Do evaluations of adequate
management comments take the form
"Management comments and actions
planned and taken adequately address the
issues, recommendations, and potential
monetary benefits.”?
(e) (Final Report) Do evaluations address the
adequacy of alternative actions proposed in
management comments?
(f) (Final Report) Do evaluations effectively
rebut management assertions that disagree
with audit conclusions?
4. Report Appendices
a. Appendix I – General Audit Information
(1) Scope and Methodology. Does this section:
(a) Clearly indicate the parameters of the audit
and the methodology used in the review so
the reader fully understands work performed
and work not performed?
(b) Indicate when the audit was performed (from
month and year research started to month
and year summarization ended)?
(c) Clearly identify source documents used for
verification, confirmation, and other tests
during the audit (providing their titles and
the time periods)?
(d) Identify the significant internal and
management controls evaluated?
Optionally, this information can be presented
in the results paragraphs.
(e) Indicate the size (number of line items, units,
dollar values, transactions, etc.) of the
sample universe and the period covered?
Also, does this section indicate the sample
size and time period covered by the sample
and the type of sampling technique used?
(3) Data Reliability. Does the Data Reliability
paragraph:
DeCAM 90-5.1
August 15, 2014
91
(a) Discuss steps taken to verify the reliability
of computer-processed data used in the
audit?
(b) State that computer-processed data was not
used in the audit, if applicable?
(5) Discussion with Responsible Officials. Does this
section:
(a) Identify specific management officials with
whom the draft report was discussed?
(a) Indicate when the draft report was issued to
management (month, day, and year) for
comment?
(b) Give the date when management formal
comments were received?
(6) Prior Audit Coverage. Does the Prior Audit
Coverage section:
(a) Include a paragraph that identifies DeCA,
DoDIG, and GAO reports related to the
current audit objectives that were followed
up on in the current audit?
(b) Include a paragraph titled “related reports”
that identifies reports of interest in the same
area as the current audit that did not require
follow up?
(7) Is the Freedom of Information Act statement
included in the Appendix footer?
DeCAM 90-5.1
August 15, 2014
92
APPENDIX K
AUDIT FOLLOW-UP LOG
1 2 3 4 5 6 7 8 9 10 11 12
Rpt
No.
Internal
Audit
Division
Audit
Title
Report
Date
Responsible
Auditor
No. of
Findings
No.
of
Recs.
Potential
Monetary
Benefit
(PMB)
Estimated
Completion
Date
Actual
Completion
Date
POC
F/U
Date
Date
Rpt.
Clsd
DeCAM 90-5.1
August 15, 2014
93
ACRONYMS
GLOSSARY
ACRONYMS
AICPA American Institute of Certified Public Accountants
AIMS Accounting and Inventory Management System
CAATTS Computer Assisted Auditing Tools and Techniques
CARTS Commissary Advanced Resale Transaction System
CCI Office of Inspector General
CCIA Internal Audit Division
CEO Chief Executive Officer
CLA CliftonLarson Allen LLP (CPA Firm)
CPE continuing professional education
DeCA Defense Commissary Agency
DeCAD Defense Commissary Agency Directive
DeCAM Defense Commissary Agency Manual
DIBS DeCA Interactive Business System
DoD Department of Defense
DoDD Department of Defense Directive
DoDI Department of Defense Instruction
DoDIG Department of Defense Inspector General
DoDM Department of Defense Manual
EDI Electronic Data Interchange
EWP Electronic Working Papers
FAM Financial Audit Manual
FWA fraud, waste, and abuse
GAAP general accepted accounting principles
GAGAS Generally Accepted Government Auditing Standards
GAO U.S. Government Accountability Office
HQ headquarters
IAW in accordance with
IG Inspector General
IRR Independent Reference Reviewer
LLP Limited Liability Partnership
MFR memorandum for record
DeCAM 90-5.1
August 15, 2014
94
ACRONYMS
O&M Operation and Maintenance
OMB Office of Management and Budget
PCIE President’s Council on Integrity and Efficiency
PMB Potential Monetary Benefit
SAVES Standard Automated Voucher Examination System
SME subject matter expert
ULO Unliquidated Obligation